foreign we are very excited to welcome you on the vapt session today and we have gone live and as soon as people start jumping into our session uh we we get to see uh that they are joining it we have just started a little early a village and as we talk we will get to see people uh joining in the session So yeah thank you for having me Sam sounds good to me all these things yes and uh today we are very excited to also announce that we are live on two streams in fact uh this is the first time we are going simultaneously live on both LinkedIn as well as YouTube and we will be really looking forward to both sets of audiences uh commenting and giving questions and I think you will have a fantastic interaction session today I'm I'm also looking forward to the same so I would like to know uh certain things before we formally uh start the session at seven is that um what what are the kinds of uh companies or the people that come across that are now very aware of the APT and they know the impact of getting this implemented uh okay this is this is really a good question so the thing is earlier like when I started my vipd journey so that was a time where people you know the companies which are already well established uh which are mandated by some ISO standards or security standards so they used to uh or or like companies like Banks or uh you know financial institutions where there was a money involved or a sensitivity data involved so only those companies were you know interested to get the vapt done to get the advanced red teaming uh sessions done for their applications for the infrastructure but now as you know like there's a increase in bug bounty hunters nowadays like since last two to three years and people are uh learning more security things like how to catch bugs how to try to get a bug Bounty Etc and that's where they have started to you know Target small companies as well like which are even not into a very very crucial business like e-commerce but they have the internet presence and now they are well aware that even if we have a internet presence uh we need to be secure because at least there's a brand value involved like if we get hacked so our brand value uh gets maligned so that's where everybody who is having a internet presence nowadays who is having some good business uh we can call it as a startup or a big company is looking to you know get bapt done from outside vendors or from their inside consurgents all right all right so abhilash do you see this uh Trend somewhat um post covet this acceptance of vapt and understanding the importance of getting it implemented in even the smallest cup of companies do you do you see a start change post covet uh we can say that post postcode was a little increase I can say because uh again like many many even security Engineers started doing work Bounty as they were working from home uh but yeah this even the the government support to digitization and security uh some uh some of the moves by Indian government also LED people to think about the security assessments of their applications or right or right so uh and and how do you see a change in Awareness also I mean earlier did you struggle or did you see the people who were implementing vapt had a time uh you know allocated to just explain that why it has to be implemented and now do you see that the acceptance that this this conversation of why you need to get this done it's reducing now people already know that it has to be done it has to be implemented do you do seize a difference in that perception yes absolutely so there was a trend before that they will protect everything by you know going going by some audit or some standard but actually testing your controls is really important and that's where people found that like we have everything the hardened image all our systems are hardened uh we have web application firewall all different of different ideas IPS devices but still people are getting to manage into their Network or application that's where there's awareness that uh getting a simulated type of testing is required so that you can also improve your IDs IPS capabilities firewall capabilities and uh absolutely like your sin capabilities as well yeah so I do see that I think it has become a raging career now because there are so many things that are considered as threat and there are so many things that people can do in order to arm themselves up and establish themselves as a company which has ensured the security in at various levels uh to their clients in front of their clients right yes I agree so over here now uh since it is already seven and we are having people joining in uh this was just a conversation that I was having with our today's speaker which is and you haven't missed out anything uh guys and um uh we are today live from both LinkedIn as well as YouTube the sessions are being recorded and recordings will be shared uh over um over your email IDs we will be sharing a Google form in the middle of this session also at the end of the session so do keep an eye on that fill your forms and uh there are um free takeaways as well today we never let our audience or people go without something so there is something which a village has promised even today and uh he will be sharing that and we will be sharing that with you so we are sharing today a vapt learning mind map or step-by-step guide which will be extremely useful so hang on till the last of the session and uh this this will be a session abhilash will be taking about implementing vapt from scratch and we will be taking pause and take your questions from time to time so do keep posting your questions we will allow avilash a break at times and we will take in the relevant questions and abhilash will be happy to answer them for you throughout the session okay so yeah so at the moment you need not fret about the recordings all the things will be uh shared so it's seven two and I think uh we are having people still joining in but now I think we should start with the session so abhilash over to you really looking forward to a very electrifying session today a lot of takeaways and lots of knowledge which is really worth sharing we really look forward to a very very enthusiastic session over to your village first of all I would like to thank minister of security for giving me this opportunity to present in front of large audience uh audience which which is already like you know uh well aware of the cyber security Trends job market Etc and I'm very happy to present or whatever I know and how I started my journey in vapt and I'm also looking forward to you know uh guide people Miss I already did uh that but uh I'm looking forward to guide some people starting their VIP journey and whenever yes I'm I'll be happy to answer the questions uh there understand their genuine problems where they are stuck Etc so let's start so first of all I just wanted to check if you can see my screen no I cannot so just uh please share the screen once more no I'll stream it yeah just share the screen uh so people who are there can you please confirm whether you can see the screen I can see the screen uh okay I think yes yes in YouTube uh and Linkedin both we can see it yeah yeah okay okay cool so uh thank you our audience for joining I know it's Sunday evening and uh thanks for sharing some time in the evening just to know more about vapt and how to learn that so I'll just start with my session so before that I wanted to give my introduction so I have to do seven years of experience uh doing vaptn application security you can say my core skills are application security so I do everything in application security right from uh doing a VA PT for web mobile apis thick clients to doing your security Assessments in kubernetes or Docker kind of environments I also do the source code reviews for my company and for my clients uh the another core skill that I have is a vapt other than that spear phishing email security and endpoint security is something that I handled for my current company so I have few certifications in my bucket like CH uh did a few years back then I am a certified kubernetes administrator so I did this just to learn the kubernetes and the uh to know more about the security inserts in the kubernetes platform containerization I am certified in cyber security from IC Square I also did the ccsk which is a cloud basic Cloud certification and I'm a CCNA as well uh I'm an Electronics communication engineer by uh graduation and I'm currently pursuing my MBA so that's about me Miss I had I had experience working with understanding eui uh then Network intelligence India and I Consulting uh one of the endpoint security company called escan antivirus a Mumbai based company and I'm now currently in a Koh city Storage Solutions okay so I'm moving to my uh today's topic which is what is vapt and how to learn that so first of all like I just want to tell you the difference between vulnerability assessment and penetration testing so some of you might know that these are two different things some of you might not know that these these actually like you know differentiate but uh always be spoke come speak combinedly so first of all anything you identified as a you identify as a vulnerability and then you report so that's that's a vulnerability assessment that you identified the vulnerability you have a classification already or you may not have then you will look for the classification like what is this vulnerability whether it's a web based a network based whether it's RC or whether it's a injection like kind of SQL injection uh whether it's exploitable or it's non exploitable so classifications can be multiple so when you identify a vulnerability you will know class of that vulnerability uh then you also try to prioritize which vulnerable to fix first if you have two or multiple vulnerabilities and that can be done over a network infrastructure computer systems and applications applications can be any web mobile apis thick lines Etc and this is like so when when you think about vulnerability assessment your goal is to discover the known vulnerabilities you cannot obviously uh discover the unknown vulnerabilities because that will be known as zero day attacks and if you are good enough then you will uh definitely identify the zero days as well but the goal of va is to discover the known vulnerabilities across your environment and the scope of this VA is wide and Broad so for example you want to know all the vulnerabilities in your network instead of focusing on one critical vulnerability and that's where like you try to do a vulnerability assessment for your network infrastructure for your application Etc and as soon as you identify the vulnerability you report that to your developers or to your client so that they can fix that vulnerability so the outcome of va is the list of vulnerabilities means what you will get at the end of vulnerability assessment is the confirmed list of vulnerabilities in a particular application that you are testing or uh or a network infrastructure you are testing so the next thing is penetration testing means when once you identify a vulnerability and now if you want to focus on any single vulnerability and to check how it will impact on my organization or for for my client so for example you identified SQL injection and now you want to identify what you can do with SQL injection whether you can actually exfiltrate data whether you can run a remote code exploitation like you if you can take a reverse shell off through that SQL injection or you can just see some data which is not so useful and there are like you know limited privileges you have and you didn't get anything uh useful out of that SPL injection so that thing you will know only after doing a penetration testing and that's where the goal of penetration testing is to you know discover and exploit vulnerabilities to show how hackers would use them for their benefits so benefit can be anything it can be a financial it can be just a happiness of exploiting that vulnerability but that will adversely effect affect that particular organization or the particular client so the goal here is to go deep into a single vulnerability to identify its evil pack on a business financially or in terms of brand computation so the scope of penetration testing is focused and deep is you try to go as much as dpu you can so for example you got a SQL injection through SQL injection you got to you got a RC remote code exploitation and through remote code exploitation you you could access one system from that system you laterally move to another system and that's where you went from a web server to a database server and now you have a position of database server as well and that is like a going deeper than after database server there can be any other critical server and you try to go as deep as possible and it is like you know miss you only stop when you know that this is the problem Jewel for this organization and once I have that the impact is so large that a business can stop or you know means there will be a news in the market that this company's hacked and that can happen with the penetration testing the outcome of this annotation testing will be you know prioritize list of vulnerabilities how you actually exploit them because uh it's just not that you exploit the vulnerabilities and report to the client client also wants to learn uh how the hacker exploited that vulnerability and whether we were missing on some certain uh checks like if the firewall was not there if we allowed excessive permissions to the database user uh what what uh went wrong can be identified uh with the way that hacker explores a particular vulnerability so that we will also get a walk through so step by step work through like how uh actually the hacker went and exploited that vulnerability and did the lateral movement into the network or into the application and lastly uh you will also get the remediations like now how you can actually remediate these vulnerabilities so if I have to tell you the example uh if you exploit a SQL injection and if you can take a reverse shield and if you can laterally move into your uh inside Network so in that case just you know fixing the SQL injection will actually fix that particular vulnerability and will stop the hacker from exploiting the same path again but there can be different parts so what is important is you also set the restrictive permissions on your database you also use a low privileged users on your web server so that an attacker will not have a privilege privileges to run anything else and then you also Harden your system knowing that there were some components in your operating system that were easy to exploit in case of previous escalation and then you you'll learn all those things as an outcome of penetration testing so I'll just move forward on the next slide Okay so so what actually security engineer does in the in case of vapity so if I if I am doing a vapt so I should be able to explain what I'm doing in terms of vapt so this is the day-to-day job that I perform or any vehicle engineer will do so first of all asset Discovery so you know Miss whether you are working for a client or for your own company you need to know what is your uh uh what is your what is your attack surface so for example if you don't know that you have this particular server uh available inside your inventory and it is running and it is critical so you will not touch that server for a VA and that's where it is very important to you know discover the asset so one of the uh just to interrupt you uh can you uh uh you think you can increase the or Zoom your slide a bit because uh it seems for our YouTube users the slides they are saying it's not clearly visible so do you think you can zoom it a little bit uh one second let me try can someone please confirm if it's better it's it's clear okay okay all right Okay cool so uh thank you for that so the first thing is asset Discovery so what I do in my day-to-day job is I I have a script you can say or I do a I said Discovery job regularly uh quarterly or monthly to identify newer assets uh that are available in my network infrastructure and you can also do that over internet like if your company has a internet presence of multiple websites your domain multiple sub domains Etc so you use the uh information gathering techniques like identifying the sub domains of your company or scanning for Port 443 on the AC ASN that you own or that your company owns so we use multiple different techniques to perform the asset Discovery whether it's a ping scan whether it's a tool called nmap or attainablenesses uh if I am doing a sub domain enumeration I will use a tool called a mass so that I'll get to know like what all sub domains are available what all uh websites are hosted by my company or Internet so I do the asset Discovery uh for that I use different uh Discovery techniques like host Discovery techniques so if you read nmap sometime in detail so you will see there are many host Discovery techniques as well like you can scan the entire network you can specifically scan a IP you can scan the hostname uh the way the way the techniques that are mentioned you can utilize them the goal here is to identify all your asset assets so uh there was a time like with my clients so there was an internal security engineer with that client and they were scanning around 4000 IP addresses in their attainable nurses without doing any asset Discovery and that was like you know uh that scan was there since last two to three years and they were scanning only 4000 IP addresses and we being there uh vendor so what we did is we just ran a SM Discovery in their network using their own tool called tenable IO and we found that they actually had a 25 000 assets in their Network and which were absolutely uh not identified by their organization because of lack of cmdb you can say and that time they got to know that okay so they have 25 000 assets out of that around four to five thousands are critical servers which needs to be performed at least vulnerability scanning to be performed and that's how then they increase their attainable licenses and they started uh doing a active VA scans to cover their entire attack surface so at asset Discovery is important that we do regularly in case of vapt job next one is the vulnerability scanning so most of the time people utilize uh licensed or you know automated to license automated tools to perform the vulnerability scanning there are some open source tools like openvas as well but uh printableness is something that is quite famous quality guard is something which is quite famous to do this vulnerability scanning and what it does is it does the network vulnerability scanning uh now now this tools also has the support for a web but there are specific web scanners as well like akinetics or net Sparkle in the industry which are you know uh quite famous for their detection of web vulnerabilities so then next in the next step we you we do the vulnerability scanning and we try to identify the vulnerabilities that will be discovered by the uh automated tool only but what is important here is to scan the configuration to configure the scans scan policies basically so for example if you go by a default scan configuration there's a high chance that you will be only scanning top thousand ports and not everything so it's important to know your scan policies whether you want to cover all 65 535 ports whether you want to cover a web application pen testing or not so that is something that you need to learn this will be a tool specific because every tool has different settings but the settings will be similar like I just told you like whether you want to coverage uh cover the entire course or limited ports or specific Services Etc So based on that uh and again like based on the uh Network infrastructure that you are scanning there can be uh limitations so for example you cannot use dos techniques through your scans because those are some critical components like power devices which go offline if you perform the Dos attack on that particular system so in that case you need to segregate those systems separately and you have to create a separate policy where you will disable some plugins which can perform the Dos effects and then you will scan those assets according to that policy so that's what we do regularly there will be there are different requirements daily like this is the new asset we are hosting now we need the scanning uh this this cannot handle the load so you need to do a slow scanning so you you need to adjust the threads Etc so that's what we configure in the uh tools like tenable next one is the vulnerability identification is I know that tenablenesss or any other automated tool will provide you a list of vulnerabilities but sometimes like you know you being a small company if you don't know if if you don't have a position of any good license Tool uh but you know like if you are using a nmap and you are doing a service scan and now if you know that these are the services running in your particular uh infrastructure so for example FTP this particular version or HTTP this particular uh web server like Apache or IIs and that particular version of IIs like 10.0 so what you can do is you can go uh on a publicly available databases like CV details or nvd and where actually you can put your current software version so for example is 10.0 and you can see a list of vulnerabilities that are available right from critical to low and then you can say that your version is vulnerable like your IIs 10.0 version is vulnerable to these vulnerabilities and you will just identify that this particular version is vulnerable to these CVS and that's what you do in the vulnerability identification this this step is already there in the vulnerability scanning tools but it can be done as a separate engagement as well to identify your all the devices or your devices their versions Etc through your cm cmdb and then identify the vulnerabilities for them uh okay so next step is vulnerability confirmation so most of the scanners so they they rely on a software versions to report the vulnerability so for example if Apache 2.24 is there and there are some xss vulnerabilities on that so any good scanner will tell you that they relied on the version reported by the Apache service that is 2.24 and therefore it is vulnerable to these these attacks you may have any other you know uh remediations for that so for example you already have a web application firewall or you have removed any particular component that is vulnerable vulnerable but uh scanners may not be able to detect that and they will just rely on the uh that particular version and they will report you the vulnerabilities so for that you will use tools or scripts that are readily available in the Kali Linux or most of the people like to share their work or GitHub so you can use GitHub scripts that are available for that particular vulnerability or a port and you can confirm using a different tool whether the vulnerability is there or not so if I have to tell you example I'll just take a few questions all right um I would like to give a few of as well first question is uh we have from shivaraja Malaya that uh there is a tool called qualis it hasn't been mentioned is there any specific reason why you haven't uh no so these are the tools that I use day to day that's why I mentioned but when I mentioned tenablenesses the quality guide is equivalent to that only so what I did is I tried to cover only one tool from that particular area okay okay but I I did mention uh you know that the police guard is also there all right or a YouTube live that can you show us the screen of the tool do you think you could be able to do that I I don't have it readily available but uh I can I can share it afterwards or if I have to tell you tenableness is professional is available for seven days free trial uh it's just a 50 mb setup you can download and you can explore all the things in that particular okay awesome and also to let others know that this session is being recorded okay uh we will see whether we can share it in YouTube LinkedIn but definitely uh right now just keep an eye we are going to share our Google form please ensure that you are filling in your details so that even if you're missing out on the YouTube or LinkedIn recorded live uh details whenever we are publishing it we don't miss you over the email so the Google form is being shared right now kindly fill in your details so that uh we can share the free takeaways at the end of the session and also uh the recorded session is something that you're not missing out on okay yeah over to you again yeah thank you so I was I was at uh vulnerability confirmation so so you you can utilize multiple scripts that are uh available open source scripts open source tools available in the Kali Linux to confirm that particular vulnerability so for example if two or three tools can confirm that there is a vulnerability uh you can actually go and report that vulnerability to your developers uh just because you confirmed with two different tools two different kinds of tools I will say like not two different scanners only so if I got something in tenablenesses for SNMP so I will use a open source tool called SNMP work to check whether I can actually see uh any IDs SNMP IDs uh by connecting to that particular SNMP port on that IP uh similarly if I see any HTTP port and vulnerability reported by that particular component so what I will do is uh I'll go on that particular Port I will use a vaporizer and I will check whether the same version is there same jqueries are mentioned uh there or not so in that way I will use two to two to three different tools uh if they are available to just confirm that particular vulnerability so okay next is vulnerability prioritization so this is something which is quite important because uh see in a in a company where there are thousands of servers you will have your tenable results or a scanner results readily available and your uh different infrastructure teams are developers will be working on some vulnerabilities but let's suppose there's a zero day kind of lock for J or recent downfall Intel downfall vulnerability so if that comes as in zero day so your goal should should shift from whatever you are doing to actually manage the current vulnerability that is being you know exploited worldwide so when there was a lock 4G we we had a vulnerabilities like RC SQL injection uh in an infra but then we had to shift our Focus to the lock version because that was being actively exploited at that time so that was one of the vulnerability prioritization and we did that was based on the versions and the log 4G versions that we had that time so so vulnerability prioritization can be based on severity so for example obviously you should prioritize critical vulnerabilities before medium or low uh then there's a Next Step called exploitability so this is this is quite you know useful uh the exploitability factor so scanners will report vulnerabilities like outdated Python 2.7 version and that will be reported as a critical vulnerability but if you actually go and see the latest Python 2.7 version there are no CVS associated with that particular python version so in actual there are no vulnerabilities on Python 2.7 but as canvas says this is outdated there will be no uh security patches by the vendor Etc and that's where the scanner is marking it as a critical or high so in that case you can actually reduce the vulnerability I'll not reduce the vulnerability but you can actually prioritize that letter uh compared to if the rce or SQL injection is there so that is something means the the vulnerabilities like outdated operating system for example Ubuntu 16 is outdated there are some vulnerabilities on that uh it is critical but if the system is internal it's nowhere exposed uh outside that particular VLAN segment uh then it's okay to actually prioritize other critical vulnerabilities over that outdated OS because that outdated OS can be a part of some uh testing for the client it can be a it can be a part of some some sandboxing that developers are trying to do and trying to check their functionalities on the older older systems so instead of like going by the critical criticality there uh you should also check the exploitability whether it is possible to exploit considering all different factors that whether the system is uh publicly available like publicly accessible or it is a private it is it is in the private Network it is in the DMZ and based on that you can take the decision uh one of the one of the better things that scanners like enablenesses or quality guard offers is they tell you whether the exploits are available or not for this particular online ability and if available whether those are available in the Metasploit or those are some uh proprietary scripts or words so these cameras will tell you that okay so this particular vulnerability has an exploit readily available in the Metasploit and Metasploit is a quite common tool for vulnerability exploitation and anybody can just use that particular script and exploit the vulnerability so this is something you should prioritize against your outdated OS so that's that's what the prioritization is then next thing is asset categories as well so you might have a system which is uh which is in a QA which is which is not holding any sensitive data and then you will have a system which is super critical uh production system so obviously you will prioritize vulnerabilities on the production system compared to QA systems and next one is the data classification whether the data label is internal or it is uh it is the customer data client data whether it's a financial data so whether it's a pii So based on that also you will prioritize the vulnerabilities uh so for example there are two two versions of SQL injection in which at one point uh customers private data is being exposed at other point your QA systems passwords are being exposed so now you will decide what is more important like protecting those internal passwords or protecting the customer data and based on that uh you will have a you will have some guidance through your Senior Management and they will tell you that you focus on the this particular customer data system or this particular QA system when passwords are being exposed so yeah that is vulnerability prioritization so we do a day-to-day uh the prioritization next is vulnerability exploitation so this is where pte is coming into a pixel and it is interesting so now if if so so um do you think we can take a few questions right now yeah sure so we have a question what is the factor in the CVS's base score Factor yes okay so so factor I factor I can say some property where uh there are three like the different uh scores so for example uh any any vulnerability when you decide the seability of that vulnerability what is most important is uh you you are protecting the confidentiality integrity and availability so these can be the factors that a confidentiality is being hampered so that's where uh your CVS score will be uh more if if none of the confidentiality uh Integrity availability is being hampered but there are some environmental factors and a little bit of confidentiality exposure So based on that also there can be some differences in the CVSs so different factors measure of them will be confidentiality Integrity availability apart from that there will be factors like how exposed your system is whether it's on the internet whether it's on the Lan whether it's in the particular segmented VLAN so these are the factors to consider while calculating the series basis uh okay so next is uh we want to know is there any difference between agent and agentless vulnerability scanning tools uh oh okay yeah there's a difference there's a there's a difference so first of all uh agent list scanning tools so you you identify Network vulnerabilities by scanning that particular IP uh identifying the open ports and then identifying the running Services whether those services are vulnerable or not but if you provide credentials so for example SSH credentials so your scanners can actually login into your particular system and they can identify now the OS based vulnerabilities as well where in the credential scanning but now if your scanner has agents already so those agents can actually work as a credential scanning method of this camera so for example instead of providing the SSS credentials the agent is already running on that particular system it has all the Privileges that are required so it will provide you the more number of vulnerabilities related to the network as well as related to that particular underlying system so that's the difference meaning in case of agent based vulnerability scans you will get insights of your OS vulnerabilities package vulnerabilities as well uh in case of agent list scanning if you are providing the credentials then only you will get based on the Privileges of that credentials you you get to know the vulnerabilities of that system if no credential is provided at all you will just get the vulnerabilities on the open ports and services running all right so abhilash the next question is I uh there is something from Mr Siddharth Agarwal who said I tried implementing open vas however it requires root access on other VMS to scan it is this safe and does such VA tools brings additional risks we at VA tools yeah thus bring additional risks but uh you know Miss prior permissions from your Senior Management is required so so things can go wrong in case of vapt so for example you you now need to perform the PT on the production system but that that running a command if you don't know what you are trying to run can actually stop something or can actually uh interfere with the running service where your production system can stop or it can crash so for example if you try to do a buffer overflow or a production system and if it it gets crashed so that will actually stop your business so there's a risk if you are doing something that without without knowing like what you are what you actually are trying to do and you should have a proper permission so for example even if the production server gets crashed uh you should be able to convince that this was a part of test and the server could not handle the uh this particular export or something and that's where you need to pass that particular server to handle that vulnerability but yeah so most of the security tools requires root privileges miss my I in this whatever tools I use they they look they open Kali scripts or open source tools so they require the root privileges and if you are using that particular PT system that should be under your position only super uh protected and nobody should be able to log in all the all the logs should travel through your sim whatever you are trying to do there will be white listing but you should be able to do a forensics afterwards if something is happening through your PT lab or through your PT system so that's where you need to actually take a screenshots or collect the logs of the things that you are trying to do all right so um the last two questions that we'll take are uh difference between CVS is 2 X base core and CVS is 3x best base score uh okay so Frankly Speaking I don't know the difference between CSS 2 and 3 because I am using CVSs 3 only but I guess there were some factors added in case of base and temporal uh but I am not sure about that all right all right um we have another question last question before you again proceed uh from semester if a tool provides both agent based and agent-led solution then which is more recommended mechanism to report vulnerabilities that will have lesser false positives agent based uh is something that that will that will give you a power of credential scans I I will recommend uh regarding agent-based scanning uh if you want to identify vulnerabilities uh with power of credentials can so for example you you just don't consider that hackers will know nothing but as soon as the uh they they crack your password they they get into your system so then also you need to protect some systems so for example if you have a vulnerable Linux components which can actually uh allow you to escalate your privileges easily so you want to fix those so that so that your limited uh privileged user uh should not be able to escalate his privileges and become root users so that's where agent based scans acts like a credential scanning mechanism uh non-agent-based scans there you need to provide the credentials and they they will actually do the same thing but but the other advantage of agent-based scanning is there will be no network uh you know traffic so they they will actually pull out all the plugins and then they will scan accordingly and they will just report that report at the end to that particular uh scanner portal but in case of uh non-agent-based scanning you have to host some internal scanners and then they will scan all your network ranges flooding your flooding your network Etc so there are some advantage of agent investing I think you should again take up the session and just to let everyone know that we will let you know about uh our recorded sessions do fill in the form that we have shared on both LinkedIn and YouTube any problems in filling or you are still not being able to access the form we will again share it and please uh stay tuned to till the end of the session because we will be sharing the form as well as we will let you know about the free takeaway thank you so much go ahead abhilash over to you yeah thank you so uh next part is actually a vulnerability exploitation so as of now you'll be uh you were on The Wonder of the assessment part but as soon as you come to exploit any vulnerability identified by the scanners or by looking at the software version and knowing the series uh that's where the exploitation comes uh so you you actually export the vulnerability like you do the privilege escalation you literally move uh or you know you see if there's a vulnerability which allows you to uh like you know Anonymous login so you actually go and log in and see how you logged in and now what you can access in case of FTP or in case of web admin portal if there's a known credentials uh being used so you can when you actually log in and see the screen and you try to exfiltrate something or you try to learn something so that is being called as an exploitation so this is this is the advanced thing that you do as a penetration testing where you should have a skills of previous escalations lateral movements data exploration remote code exploitations injections Etc uh the thing is this this particular step will be limited to what knowledge you possess actually so if you if you are a beginner you don't know uh how to uh run mimic ads or how to run some Advanced uh network security tools so you will be limited to actually uh exploit that vulnerability and being happy about exploiting that but you will not be able to further escalate that to a lateral movement from normal system to a server inside your organization so that's where the vulnerability exploitation steps comes where you actually try to focus on critical systems like Chrome jewels and you try to identify multiple ways to get inside your RAM Gmail and try to uh actually test all the security mechanisms that are protect in that particular critical server uh okay so next is vulnerability reporting so uh reporting is very important means in case of Miss I I worked in a consulting firm where I used to actually create a report or create a Excel based document to share the vulnerabilities with my clients but uh it can be challenging if you are working in a product based company and if you are having uh more than thousand two thousand systems and then you don't know the uh asset owners or the system owners of those particular vulnerabilities so it will be challenging so your job can be identifying the owners then and then reporting them the vulnerabilities following up at the following following up with them for a closure of those vulnerabilities Etc and in product based companies people use ticket based tools like jira uh in Consulting people actually generate PDF reports and provide them to the clients if if you are a senior manager expecting something better out of the engagement you will also ask the vapt guide to provide a PowerPoint presentation which will tell you the overview of your security structure in terms of vept so you need you need to work on the jira tickets or PDF free course or PowerPoint presentations just to present your vulnerabilities the another thing is when you develop when you prepare a report if the intended audience is developer so you may want to tell them the remediations that are available in the market so for the for a particular vulnerability all three mediations and then let them decide which one to choose but if you are reporting that particular vulnerabilities or a report to a CSO or a Senior Management so then they will be interested to know what is being uh what is what is on stake so for example if a financial data or a personal data uh if there's a breach or what means they they won't be interested to in knowing a very technical technical terms but they will be interested in knowing how it will impact on the business is financially and in terms of brand reputation so it's it's quite important to think in that perspective as well not only in technical perspective but in terms of brand and monetary perspective as well okay so we we discussed this that difference is difference between VA and PT is just that PT step gets a vulnerability exploitation as an extra step and this is where uh people need to learn on the exploitation because asset Discovery vulnerably scanning vulnerability identification is something that is now entirely tool based means even if you don't put extra efforts uh to for these tips that's fine uh or the tools has all of this but exploitation is something that that needs manual efforts to exploit that particular vulnerability and it is purely based on how knowledgeable you are so let's learn about vapd types so for example in case of infrastructure uh on-prem uh infrastructure vapt was there since the beginning but now as people are moving to Cloud so Cloud infrastructure VAP is becoming uh the need of an hour I'll say uh please please don't confuse this with Cloud security Cloud security is something that you try to actually uh go by the some guidelines and you try to secure your Cloud uh cloud vapd is something you try to break into Cloud you try to identify vulnerabilities it can be the internal assessment it can be the external assessment but most of the time your Cloud resources will be inside your private VPC and very few posts will be open over the internet and that's where you will do the external PT on those exposed ports and if you want to do an internal vapt you need to have a VPN connection or a host in your particular PT system inside that infrastructure where you can actually access all the cloud resources to exploit them another infrastructure VAP also is there known as Wireless vapt but organizations so they actually use strong access points Etc with the industry standard now says you use uwpa to a standard for wireless security Etc so most of the time wireless security is not not being done uh actively in vapt but it's a part and it's good to learn the wireless vapity as well means to how how to actually de-authenticate the connected users and how to grab the Wi-Fi password is something that you need to learn and based on the configuration of your customers or your Wi-Fi access point you will be able to actually break into the wireless as well uh on the application side there are a web application PT's mobile application API and thick client penetration testings out of that thick client is something that is of more interest to the clients which are actually uh you know in the business of thick land so for example Microsoft teams is a thick client uh if you have a robotic process automation tools like RPA uipath so there will be a thick clients of that RPA RPA process which you want to perform the pen testing on but quite famous is web mobile and apis so let's take questions if anyone has okay so um there is one question which I think you can address at the end of the session where people are asking about how you can recommend a career in this field for any beginner you can just keep a pointer open for discussing the same at the end of your session we'll take some of the other questions like what is your recommendation for the asset management solution to identify the system owners as this is a big headache for any organizations employing a security solution Okay so anybody will tell you like you you should have a cmdb for Asset Management uh but but again like you know if if you have a really cluttered uh infrastructure not knowing who owns what so it's best to then you know actually grab the servers and their owners and then let them integrate uh their to their servers uh so like VM provisioning servers I'm talking about so for example a VMware vs fares or vcenters from where you actually uh spin up VMware esxis and we we have your esxis will have multiple VMS again so you then capture the uh get the VMware vcenter owners to integrate their vcenter to the cmdb and from that cmdb whatever uh so from that we Center whatever esxrs they are spinning so that should be automatically recorded in the cmdb and you should first consider that particular vcenter owner as responsible for whatever spinning from his particular server and then he should identify what esxis are assigned to whom like who requested that es success and they should actually add that information over your cmdb because this is this is something if you if everybody contributes it's a job of one day if nobody is contributing and then only the network team and the security team cannot do anything in this case because if I am being a developer if I own five VMS and nobody knows that all of those VMS has same host name only the different IP addresses so in that case nobody will know who owns that if your infrastructure is large enough so it's it's important that you actually you know communicate to the people that we are trying to uh gather information and you report all your assets that you own else whatever assets we found in a network without uh knowing the owner we will shut them down and that was the approach that one of my client took and then the engineers were like proactive to tell that these are my systems I'm actively testing them I'm actually doing a development please don't shut this down and this is where I'm reporting that these are owned by me and then that's where like they were able to at least like 70 80 percent systems they were able to track and then uh they shut down 20 systems and as soon as they went offline then people uh started tracking like why my system is offline and they then reached out to it team telling that these systems are offline I own them and that's where they updated their cmdb again but once you update the cmdb then there should be a policy of uh having a unique Max there should not be a duplicate max if your cmdb or asset Discovery tools identifies two systems with different two systems with same Mac you should actually change that match because virtual systems can have a same Mac address I hope I hope that answers your question um yes so um we have a question like do you mean thick lines as Windows based application like dot exe package products yes they can be most of the time they will be a exe based only but then similar similar implementations are available for Mac systems and Linux as well as in packages but they are not so famous in terms of doing a vapt most of the time people prefer to be apt on the Windows packages I think you can continue okay so uh the one thing that I wanted to tell you is uh if if you know any red teamer uh who is doing a red team engagement for your organization or if any any one of them is your friend so he will be having uh knowledge of all these areas because red teamers needs to learn they try to learn as they uh get the targets uh and immediately like they start exploring uh what is in front of them whether it's a wireless if they got the password to wireless and from them from then how to laterally move to the inside systems so that's where they actually actively try to identify the ways to you know navigate through all different Technologies whether it's a web or whether it's on-prem infra so red teamers will be the highly qualified or highly expert High expert people in the area of uvt I will say okay so uh let's start to the topic means the few of the members like who are beginners wanted to know how to start with vapt uh so the first thing that I wanted to tell you is when when I started vapt uh I was like I used to actually save each and every course that I am getting through torrent uh or through Telegram and I never you know actually uh looked through those courses whether it's a correct oscp material whether it's a udemy courses uh a pen tested academic courses yeah all of you like if you are already in the security domain all of you might have downloaded those and stored them on your hard drives or or Google Drives but I was one of them but I know I could not you know actually go through the details of any of that course I learned everything from uh doing the testings in my company it was consulting company and they were team team members who were like doing the same stuff so there were discussions around the team if I'm not able to actually exploit any vulnerability I used to take the help from my teammate or my senior who is actually Pro into that and that's how I learned that okay so the vulnerability can be exploited by this way as well and that way as well there are multiple ways to exploit one vulnerability there are resources available instead of the thing that people don't get to know like where should they start so even now I'm not you know more focused on what what you should uh which courses you should take and what videos you should uh see I'm I'm more focused on what you should learn in case of uh starting in the vapt so the first thing is uh knowing about the basic networking so you need to know uh basics in the networking so for example what is Lan van can man and logical classifications like what is distributed Network what is client server Network what is internet intranet DMC because knowing that only you know uh will help you if you go by any of the other topics like web or infrastructure PT next one is the OSI and TCP model in detail so why this is important because all these scanning techniques are based on the tcpip header where you need to know the three-way handshake what is in what is synac what is acknowledgment when it is called as connect scan when it is called as a Sim scan or different scans so that that all depends on the basic networking and PCP healers so these are some topics that are important to learn and I know one good resource known as Omi secure.com which has a separate web page called as basic networking and they cover all of this means if you just read by them uh you will get to know what are Wireless Technologies how many types of 802.1180211x uh what are the land Technologies what is fiber optics label what are the network devices like uh switch router or a firewall or Advanced next-gen next-gen firewall what are the network topologies like uh Bridge circuit etc etc one of the most thing is knowing the most common ports like DNS DHCP HTTP SMTP slmp Etc means whatever you know as a common course you should learn about that you should at least know that they are being used for some purpose so for example HTTP is being used for serving the web pages and smt Pages for the emails so you should know that that SNMP is something for the internal communication between the servers so that is something that you should know out of that particular Network ports and protocols usually you should also know that DNS works on Fifth core 53 and SMTP works on a port 25 and 995 as well so you should know the difference between them so so you you should go by basic networking before you start any vapt learnings you should also read basic cryptography because whenever you go to the web application PT or infrastructure PP you will see some cryptographic elements so for example any scanner will tell you that this particular website has weak protocols weak SSL protocols and weak SSS ciphers available but now if you don't know is most of the time like initially uh three four three four years in my career I never looked at the details of the ciphers that are being shown because the tool used to actually highlight that okay this is the weak Cipher and I used to report that but why that is weak what weakness is there so those should be some those those are some basic details that you should know that there's a collision there's the Collision is the weakness that is the reason that md5 is a weak and should not be used so those are the cryptographic weaknesses and that's where you should know you should not use md5 or just Sha but you should use share uh 256 512 or you should use bcrypt for the password encryption and you should not use sha for the password encryption so those are some basic details that cryptography teaches you so for example what is symmetric and asymmetric cryptography so most of the time interviewer will ask you how TLS works and which cryptographic methods it uses so basically TLS uses both methods asymmetric and symmetric as well so you should know like how it does that and why it does that so that's that's gets covered into the basic cryptography then read about different viruses virus types so for example malware swans ranservice rootkits because any application so for example if you are a pen tester uh any anything that you are doing can also be you know replicated by a malware so for example a malware can automate the exploitation process that you are doing uh manually by using some tools so you should also consider the factor that the exploiters spin testers are not only the humans they are the malwares and viruses as well so you should know the differences between these throws and horse root Keys Etc and if you go through the uh this particular site omnisecure.com you will get to learn all of these things means that one website and that two three blogs are sufficient uh to read the basics uh that's it means you you don't need to then read any CCNA book or any other resource like you you need need not to need not to see any YouTube videos as well for the basic networking and basic cryptography so this is the simple and starting point I will say if anybody wants to start with the vapd I I would want to take some questions on this do we have any questions Sam uh no I think you can go ahead and anyway we are very close to our end time as well so yeah oh okay okay yeah sure so once once you learn through Basics next one is the web application Beauty uh whatever you see in the web application on the screen web application mobile application API infrastructure I will say if you are a beginner uh you should focus on the web application PT because once you learn the application PT web applications consumes apis so you will cover 90 of the test cases of API security Testing mobile applications also consume apis as you are testing them on the web application you you can test them on mobile applications as well mobile application will have a platform specific test cases that are different and that can be actually done in a time of week or so this you can learn the platform specific test cases of Android and iOS in a week and you can start applying them from the next week or from the day one I will say because you you just need to follow these steps for the decompiling the application and looking through the Android manifest files and running some tools like mob SF or browser but those uh things are actually like you know pretty straightforward so you focus on web application PT and exploiting the web vulnerabilities and you will be 80 90 ready for mobile app mobile application Beauty and API security test so once you start learning the web application you should learn the fundamentals and the fundamentals are like everything in the web goes by HTTP request and response so you should know each and everything in the HTTP request and response uh then you should know uh how actually like you know when you add any URL in the browser how it provides you the response and what happens in the background how DNS Works Etc so those things uh you should know and once you know these basic things I will not recommend going by any tool I will recommend going by a testing testing guide actually so if you refer OS testing guide and you will see a vulnerability called privilege escalation and they have provided at least four to five examples like how it can be exploited and there should be at least one way that your application will have that particular one way out of those four five examples you can test by that way so the best best thing to practice is to look through the examples that are given because those are the real examples exploited previously by different uh hackers next thing is you can go on a hacker one and book crowd or a similar platforms and you will see uh some good vulnerabilities being reported there are bounties uh awarded to them and those vulnerabilities are like ssraf SQL injection and you should actually see how they are being exploited So reading a step-by-step walkthrough is 90 similar to exploiting a vulnerability means once you read a walkthrough and if I present you the application with same bug you should be actually able to replicate those step by step processes looking at the reference that you have and that's where if you are focusing on one particular vulnerability let's say SQL injection you try to at least get 10 examples of SQL injection 10 ways how the SQL injection was exploited you will see same steps were followed until people exploit the SQL injection so now you practice for the 10 times and now you just need to apply that on whatever application you are testing and the most important thing like if you're looking to crack interviews uh for a web application PT or being a vapt so each and every attack you try to read and exploit you should be able to explain that with practical examples so for example I need to create a story that means if I have if I have actually exploited in SQL injection in app so I should know that app was e-commerce app there was a login page login and a username and password and then I try to actually put a query breaker of SQL injection like a single quote and query was break error was generated and then I did further steps so that's how you should be able to tell the uh interviewer that this is the way I exploit it that is one most common example you should at least know two to three examples the way you exploited any particular vulnerability and it is also important to know the remediations so for example interviewer will ask you what is the difference between parameterized queries and store procedures and which one is better so you should be able to uh tell them and you can only tell them if you know the difference and if you know how both those gets implemented so remediations are also important while giving the interviews or while suggesting anybody like for your developers which one to implement and which one to not so focus on remediations as well and learn to write well article articulate reports like so for example your report should have a severity whether it's a critical or high it should have an impact on that application or on that business it should have a step-by-step process to how to partic you know regenerate that vulnerability and you should have remediations phase remediation so for example if you are telling uh somebody to add a security header you should actually show them the steps like so adding a screenshot like you go to this particular file configuration file and then you enable this so that's the step by step recommendation that you are providing to him so it's easy for him to fix that particular vulnerability in a limited time so that that is what a detailed recommendation or remediation is and you should write reports with all of these that that will be called as an well articulate report uh so if you want to start with I will suggest Port sugar Academy for web application and try hackme.com these are the two resources uh uh one first one is the free one second one is the low cost one uh you you'll be able to practice uh on on these two resources and everybody knows that OS top 10 is a framework that that is widely being used to test your applications OS provides a testing guide OS provides the checklists as well so you you take a vulnerability you try to identify that vulnerability using 10 different methods and please remember that if you don't get to exploit that vulnerability there will be two reasons uh either the vulnerability is not present or you are not knowledgeable to exploit the vulnerability at that time but covering all the test cases is important okay next one is mobile as I mentioned like you once you learn the web application PT uh there will be only platform specific test cases and static test cases you need to learn in terms of mobile application PT the most challenging part in any mobile application PT is bypassing their root detection and bypassing their SSL pinning protections and you need to learn different methods to bypass root and root detection and different methods to bypass SSL pinning both on Android and iOS so that will be a time consuming for you other than that all the test cases for mobile application PT will be straightforward looking at the references and going by that vulnerability testing that vulnerability in particular area so I will suggest you use Jane emotion emulator because it's quite easy to set up for Androids and I haven't found any good free Emulator for iOS so I will suggest an old iPhone for testing of iOS applications so the only courses that are available are from pen tester Academy that are also quite old now but they were in a mobile application courses from pen tester Academy previously and if you search for mobile app interesting or Google you will found many blogs or medium or the references mentioned here and that how to test any particular vulnerability or step by step you can learn from that [Music] okay moving forward to API security testing uh so as I mentioned uh 80 things will be covered in the web only and now the mobile as well there will be 20 thing so for example you can test apis in web you can test apis that are in the mobile but there can be a time where you need to test only apis which is a product of a company so those apis you need to open in a tool uh called Postman and those apis will be rest apis you will see requests and responses and now if you want to test the API so you need to learn how to capture the request from Postman to burp suit or any other proxy tool and once you capture that proxy like request in proxy tool the test cases will be similar to what you did in the web application uh there are few certain like few things like authentication and authorization methods used in the API so for example over 2.0 open ID open ID connect jwd tokens so there are weaknesses in these areas as well so I will suggest you go by a free certification course on the API Academy and API secuniversity.com so you will learn the weaknesses in the API security areas as well like in the OR 2.0 open ID and how to test them because these are like small two-hour courses which also provides you the certifications to showcase on LinkedIn and they they are good to know the vulnerabilities in the areas of authentication and authorization Technologies um last one is the infrastructure PT as I mentioned like so in case of infrastructure PT uh the courses are quite famous like oscp by offensive security and pnpd by TCM security so these two courses are quite famous and everybody from the security industry uh must know that there are these two process in case of infrastructure PPT and the thing is uh you need at least at least to begin you need to learn about the host Discovery technique Sports scanning techniques using lmap or similar tools you need to learn how to configure policies in any licensed tool like cannablenesses or college guard and you need to actually you need to learn how to identify vulnerabilities based on the software versions one of the best thing is if you are using any commercial tool it will tell you whether that exploit is available on the meta squad or not if not then only you have to search for the exploit or Internet through different GitHub repositories or different sites but if that exploit is available in The Meta slide itself so there can be Integrations within the tools like enable nases and Metasploit where you can actually speed up the exploitation so these are some things that you need to focus on and as as you learn the common uh TCP and UDP ports and protocols the vulnerabilities will be based on that only so you have to practice them and apply them in the real world so the best best thing to practice is the tryhackme.com and hack the hack the Box in case of infrastructure PT and if you want to go by the paid courses then pen tester lab is the altered security bootcamps are also there and if you go by the certification then oscp and PNP it is are there okay so we are we are at the end of our session so do you want to take any questions sir no I think uh people who are really looking forward to some career again on how to pursue I think those are certain things that you can cover up in this session and yeah we can conclude it we are already uh 20 past 13 so yeah yeah so like whoever is looking to start into eapd uh the first thing is if you can afford uh go for good trainings like so if if you have already tried all these things learning through videos or going reading through blogs and still you're not able to make it then I will say you go by uh you go for a guide that I did training uh if you cannot afford that but if you are really looking to uh you know learn through the blogs through the videos Etc so uh we will be sharing one mind map that how you can actually learn for example a TCP rtcp from which blog or from which video so you should follow that particular mind map to learn that particular area so for example web application PT this particular vulnerability and if mobile this particular vulnerability so if you follow that mind map and if you can you know actually put your time into that so you will be able to do that by self but if you're not able to do by yourself then I will recommend you go by the guided training which is available uh I will also say if you are actually looking for a career don't just go by a bug Bounty uh for a bug Bounty trainings book Bounty trainings are good uh but they will not prepare you uh to fully test the application they are more focused on identifying a single or or a couple of vulnerabilities that are that can give you the bounties but they they will not cover all the test cases for any single application so that's at least here are some tips but these are actually repeated so okay I think that should conclude our session thank you everyone uh from the ministry of security team I hope you have all received the Google form please take some time out and fill that up so that we can get back to you and don't forget to follow our page because we will keep posting very important um documents as well as if you want to keep tab of our next events uh the 10 page is your go-to so we really hope to catch up again on our next session and keep an eye on our page as we keep posting very interesting stuffs for you so thank you once again uh thank you abhilash for your time I hope you all are a very nice interactive session with lots of questions coming in and we really struggled a bit to wind it up on time so thank you once again thank you thank you so much okay we have one last question please uh please go ahead thank you I mean yeah everyone is pouring in their thank you notes so I should let you know that you shouldn't be missing out on those thank you so much any sample of report over to you on that I I can I can share that uh maybe like in the communication that you'll be forwarding to the people okay okay yeah so I I will share one sample report which is Well written explaining all the things uh which will be really useful for you to refer awesome awesome thank you okay okay thank you thank you so much [Music] foreign