|
|
Generating Synthetic Web Traffic
Koprda, Peter ; Žádník, Martin (referee) ; Hranický, Radek (advisor)
Web crawlers, známi aj ako webové pavúky alebo roboty, zohrávajú kľúčovú úlohu pri vyhľadávaní informácií, optimalizácii pre vyhľadávače a indexovaní webových stránok. Weboví roboti sa však môžu používať aj pri penetračnom testovaní webových aplikácií. Automatizácia procesu odhaľovania zraniteľností, identifikácia skrytých koncových bodov a efektívne mapovanie štruktúry webovej aplikácie môžu zvýšiť účinnosť penetračného testovania. Táto práca sa zameriava na vytvorenie nástroja určeného na generovanie neľudskej (syntetickej) webovej prevádzky. Tento nástroj bude určený aj na automatizované penetračné testovanie webových aplikácií pomocou webových robotov s využitím syntetickej webovej prevádzky na rozšírenie možností testovania. Okrem toho sa tento nástroj bude používať na hodnotenie účinosti bezpečnostných systémov, ako sú IDS, IPS a webové aplikačné firewally (WAF).
|
|
|
Phishing campaign design
Duong, Tuan Hung ; Michal,, TRTIL (referee) ; Ondrák, Viktor (advisor)
The thesis deals with implementing a tool to design and simulate phishing attacks. The first part of the thesis focuses on the history of phishing, phishing strategies, forms of attacks, and an analysis of previous incidents in the real world. Using the open-source phishing framework GoPhish, a phishing e-mail will be created. The design of the phishing e-mail will be based on the analysis of real phishing e-mails.
|
|
|
Security testing of IPv6 family protocols and related vulnerabilities
Vopálka, Matěj ; Phan, Viet Anh (referee) ; Jeřábek, Jan (advisor)
This thesis discusses the Internet Protocol version 6 (IPv6), especially the secure deployment of the protocol. The thesis deals with the shortcomings of IPv4 protocol and reason of development of IPv6 protocol. It covers topics like IPv6 addressing, structure of frames, the initial types of IPv6 extension headers. Additionally, the thesis explores related protocols to IPv6, such as NDP, SLAAC, adn DHCPv6. The thesis provides an introduction to penetration testing, describes the basic types of hackers and gives a general overview of information security attacks. The practical part is devoted to the development of an application for automatic vulnerability testing of IPv6 networks Penvuhu6. The tool is developed in Python programming language using Scapy library. Penvuhu6 has been tested in an emulated network environment with the GNS3 program. Three test scenarios were developed for the tool focusing on testing the passage of repetitive and misaligned headers, overlapping fragments, and Router advertisement and DHCPv6 advertisement messages. Penvuhu6 was tested on an emulated RouterOS device with basic and restrictive configurations.
|
|
|
Tools for application server penetration testing
Vašíček, Tomáš ; Šeda, Pavel (referee) ; Martinásek, Zdeněk (advisor)
This thesis explores the field of penetration testing of application protocols. The thesis introduces the application protocols FTP, SSH, SMTP, POP3 and IMAP and explores their possible vulnerabilities. Information about vulnerabilities is obtained from publicly available collections such as HackTricks and The Hacker Recipes, but also by studying the RFC documents of each protocol. Based on the vulnerabilities found, penetration testing checklists are constructed to provide guidance through the process of testing a given protocol. The main contribution of the work is the development of a modular automated tool ptapptest and another auxiliary tool ptntlmauth, which are used for penetration testing of the mentioned application protocols. Finally, the thesis concludes by testing the ptapptest tool on application servers discovered using the Shodan search engine.
|
|
|
Support tool for initial phase of penetration testing
Žáček, Dominik ; Gerlich, Tomáš (referee) ; Sikora, Pavel (advisor)
This thesis deals with the development of an advanced tool designed to make team penetration testing more efficient. The tool works by automatically assigning tasks to penetration testers based on skills and historical performance. The theoretical part of the thesis analyzes in detail various methods for solving the assignment problem, in particular the Hungarian method and linear programming. The theoretical part continues with the design of a two-step algorithm for task assignment. Then, the principle of the neural networks underlying the second step of the assignment is described in detail. Unique methods for generating two datasets have also been developed as part of the work. An interface for task assignment has been implemented and metrics to determine the quality of the assignment have been proposed. The result is a tool that significantly streamlines the assignment of tasks to penetration testers and increases the overall efficiency of penetration testing teams.
|
|
|
Interactive graphical environment for visualization of penetration testing
Klampár, Roman ; Martinásek, Zdeněk (referee) ; Lieskovan, Tomáš (advisor)
This thesis deals with the design, development and implementation of an interactive graphical environment to support penetration testing. The theoretical part describes the basic concepts of penetration testing, introduces the Penterep platform and the technologies used in the development, such as Vue 3, TypeScript and D3.js. The practical part focuses on the design of the data structure and architecture, as well as the implementation of the network graph with interactivity including drag and drop, zoom and pan. The implemented solution allows manipulation of the graph and its data, making it possible to change the graph structure. The thesis resulted in a package designed for flexible integration into existing projects such as the Penterep platform, into which the solution was also integrated. The thesis also analyses the performance of graph rendering using HTML5 Canvas and SVG. Rendering time, FPS and memory usage for different sizes of graphs were monitored during testing. The results show that HTML5 Canvas achieves better performance for larger amount of data. The aim of this work is to increase the efficiency of penetration testing, reduce the time consumption and simplify the necessary processes compared to the currently available tools.
|
|
|
Tool for Dynamic Analysis of Web Applications
Píš, Patrik ; Martinásek, Zdeněk (referee) ; Ilgner, Petr (advisor)
This master's thesis presents matters of penetration testing of web applications with the primary focus on the use of dynamic analysis. The thesis analyzes the current state of the art of web application security and focuses on both individual vulnerabilities and the protection mechanisms implemented by web applications. The main objective of the thesis is to design and implement an automated offensive tool that tests the resilience of a~web application to cyber threats. Compared to other available tools and their limitations, the proposed solution enables efficient rate limiting testing while also allowing testing of HTTP headers, cookie attributes, and content security policy directives. To validate its effectiveness in supporting manual penetration testing of web applications, a sandbox environment was created where experimental testing was conducted. The tool was also tested in a real production environment during penetration tests for real clients with positive feedback from professional penetration testers, demonstrating its practicality and usability in web application penetration testing.
|
|
|
Tools for Wi-Fi and IPv4 penetration testing
Jančík, David ; Lieskovan, Tomáš (referee) ; Martinásek, Zdeněk (advisor)
The master thesis deals with the design and implementation of support tools and methodologies for security penetration testing of Wi-Fi networks and IPv4 network infrastructure. The theoretical part covers penetration testing itself, approaches, phases, and types. It also describes the development of Wi-Fi networks and their security protocols. Various penetration tools for Wi-Fi networks and types of attacks are introduced. In the last theoretical part, a basic overview of IPv4 and tools for IPv4 scanning is provided. Initially, in the practical part, a proprietary methodology for Wi-Fi networks and IPv4 and tools for penetration testing are proposed. The Python programming language is defined, along with the output of various tools for the Penterep platform. A review of tools from the theoretical part is conducted to select suitable tools for new support tools. The implementation of penetration tools is based on the design diagram created. The conclusion summarizes the results achieved and suggestions for further expansion of tools for Wi-Fi and IPv4. The result of this thesis is the implementation of support tools and the design diagram for Wi-Fi networks and IPv4.
|
|
|
Network Scanner for PowerShell
Sabota, Dominik ; Šeda, Pavel (referee) ; Martinásek, Zdeněk (advisor)
This study focuses on the development and implementation of a network scanning tool for the scripting language Powershell version 5.1 and higher. This tool, named Oculus, was specifically designed for the use of sophisticated network scanning methods during penetration testing and other security audits, thereby becoming part of the broader context of cybersecurity. Within the set requirements and limitations, the Oculus tool was successfully implemented. This work thoroughly analyzes the process of development and implementation of this tool, its limitations, and their impact on overall effectiveness, which is subsequently tested and evaluated. Although the development process brought certain challenges, the testing results confirmed that the Oculus tool provides valuable outputs, thereby confirming its usability in the matter of improving cybersecurity.
|
|
|
Design and Creation of Proxy for Penetration Testing
Válka, Michal ; Bláha, Lukáš (referee) ; Dydowicz, Petr (advisor)
This bachelor’s thesis is aimed at design and development of proxy for penetration testing. The thesis is divided into three main parts and begins with a theoretical part, which is focused on fundamental technologies and principles on which the application is based. The second part is focused on comparison of currently available solutions. The third part contains the creation of the proxy itself. The last chapter contains a summary of this thesis and the benefits of the developed product for penetration testing.
|
guest ::
