|
|
A feedback profiling model for cybersecurity education and training
Lazarov, Willi ; Kuchař, Karel (referee) ; Martinásek, Zdeněk (advisor)
The need to educate users to some extent in cybersecurity is undeniable given the ever-increasing cyber threats. However, the approach to education and training cannot be simply generalized due to the different environments, technical backgrounds, and age groups of users. In addition, it is also important to proactively monitor, evaluate, and provide feedback to the individuals being taught or trained. The master's thesis addresses these challenges through the research and development of a feedback profiling model for effective cybersecurity education and training. The thesis first begins with a discussion of methods and techniques for cybersecurity education. Subsequently, the problem addressed is described in more detail, followed by the design of the proposed solution in the form of the profiling model with automatic feedback. The model, which consists of a profiling matrix, a profiling algorithm, and a learning curve, was first created and expressed mathematically without considering the properties of a particular cyber range platform and programming language, especially for easy replication, modification, and extension. Independently, the profiling model was implemented and subsequently integrated into the Brno University of Technology Cyber Arena (BUTCA) platform to validate the model on learning data from students of grammar schools, technical high schools, and universities. The resulting solution of this thesis brings to the cybersecurity field a new innovative approach to the evaluation of learned and trained users with an emphasis on individual feedback and continuous learning.
|
|
|
Tools for application server penetration testing
Vašíček, Tomáš ; Šeda, Pavel (referee) ; Martinásek, Zdeněk (advisor)
This thesis explores the field of penetration testing of application protocols. The thesis introduces the application protocols FTP, SSH, SMTP, POP3 and IMAP and explores their possible vulnerabilities. Information about vulnerabilities is obtained from publicly available collections such as HackTricks and The Hacker Recipes, but also by studying the RFC documents of each protocol. Based on the vulnerabilities found, penetration testing checklists are constructed to provide guidance through the process of testing a given protocol. The main contribution of the work is the development of a modular automated tool ptapptest and another auxiliary tool ptntlmauth, which are used for penetration testing of the mentioned application protocols. Finally, the thesis concludes by testing the ptapptest tool on application servers discovered using the Shodan search engine.
|
|
|
Integration of A/D game scenario into the BUTCA platform
Slaný, Radek ; Lieskovan, Tomáš (referee) ; Martinásek, Zdeněk (advisor)
Nowadays we live in world where it is almost impossible to exist without information technologies. Therefore, higher requirements for cyber security arise and with the requirements grows the need for trained professionals. BUTCA is Cyber Range platform which provides, through educational scenarios, students and professionals environment where they can test their theoretical knowledge in practical examples. Current scenarios in BUTCA are focused either on defensive or offensive cyber security skills. This master’s thesis proposes educational scenario that is focused on defensive and offensive security skills at the same time. Scenario is designed for teams competing each other, each team tries to compromise instances of the other team while trying to defend own instances against cyber attacks of other team. Main contribution of this master’s thesis is design and implementation of described scenario which will be easily scalable for teams of different number of players and also that would be easily expandable thanks to usage of its own library of vulnerabilities. Final implementation of the educational scenario was imported into BUTCA platform where the scenario was tested with the assistance of team of professional penetration testers.
|
|
|
Data collecting tool from the open-source datasets
Kříž, Petr ; Martinásek, Zdeněk (referee) ; Gerlich, Tomáš (advisor)
The thesis examines the field of intelligence disciplines in detail, with an emphasis on open source intelligence (OSINT). The thesis includes a detailed description of the intelligence cycle, including an analysis of the different phases of the cycle. Furthermore, the theoretical part of the thesis provides a overview of the social network Instagram from an OSINT perspective. This includes a description of the types of data available on this platform and the methods that are used to collect it. The practical part then demonstrates the design and implementation of an open data monitoring tool on Instagram. This tool is designed to monitor public posts and comments on Instagram. The main output of this thesis is a functional tool that not only collects data but is also able to visualize this data effectively.
|
|
|
Interactive graphical environment for visualization of penetration testing
Klampár, Roman ; Martinásek, Zdeněk (referee) ; Lieskovan, Tomáš (advisor)
This thesis deals with the design, development and implementation of an interactive graphical environment to support penetration testing. The theoretical part describes the basic concepts of penetration testing, introduces the Penterep platform and the technologies used in the development, such as Vue 3, TypeScript and D3.js. The practical part focuses on the design of the data structure and architecture, as well as the implementation of the network graph with interactivity including drag and drop, zoom and pan. The implemented solution allows manipulation of the graph and its data, making it possible to change the graph structure. The thesis resulted in a package designed for flexible integration into existing projects such as the Penterep platform, into which the solution was also integrated. The thesis also analyses the performance of graph rendering using HTML5 Canvas and SVG. Rendering time, FPS and memory usage for different sizes of graphs were monitored during testing. The results show that HTML5 Canvas achieves better performance for larger amount of data. The aim of this work is to increase the efficiency of penetration testing, reduce the time consumption and simplify the necessary processes compared to the currently available tools.
|
|
|
Tool for Dynamic Analysis of Web Applications
Píš, Patrik ; Martinásek, Zdeněk (referee) ; Ilgner, Petr (advisor)
This master's thesis presents matters of penetration testing of web applications with the primary focus on the use of dynamic analysis. The thesis analyzes the current state of the art of web application security and focuses on both individual vulnerabilities and the protection mechanisms implemented by web applications. The main objective of the thesis is to design and implement an automated offensive tool that tests the resilience of a~web application to cyber threats. Compared to other available tools and their limitations, the proposed solution enables efficient rate limiting testing while also allowing testing of HTTP headers, cookie attributes, and content security policy directives. To validate its effectiveness in supporting manual penetration testing of web applications, a sandbox environment was created where experimental testing was conducted. The tool was also tested in a real production environment during penetration tests for real clients with positive feedback from professional penetration testers, demonstrating its practicality and usability in web application penetration testing.
|
|
|
Tools for Wi-Fi and IPv4 penetration testing
Jančík, David ; Lieskovan, Tomáš (referee) ; Martinásek, Zdeněk (advisor)
The master thesis deals with the design and implementation of support tools and methodologies for security penetration testing of Wi-Fi networks and IPv4 network infrastructure. The theoretical part covers penetration testing itself, approaches, phases, and types. It also describes the development of Wi-Fi networks and their security protocols. Various penetration tools for Wi-Fi networks and types of attacks are introduced. In the last theoretical part, a basic overview of IPv4 and tools for IPv4 scanning is provided. Initially, in the practical part, a proprietary methodology for Wi-Fi networks and IPv4 and tools for penetration testing are proposed. The Python programming language is defined, along with the output of various tools for the Penterep platform. A review of tools from the theoretical part is conducted to select suitable tools for new support tools. The implementation of penetration tools is based on the design diagram created. The conclusion summarizes the results achieved and suggestions for further expansion of tools for Wi-Fi and IPv4. The result of this thesis is the implementation of support tools and the design diagram for Wi-Fi networks and IPv4.
|
|
|
Network Scanner for PowerShell
Sabota, Dominik ; Šeda, Pavel (referee) ; Martinásek, Zdeněk (advisor)
This study focuses on the development and implementation of a network scanning tool for the scripting language Powershell version 5.1 and higher. This tool, named Oculus, was specifically designed for the use of sophisticated network scanning methods during penetration testing and other security audits, thereby becoming part of the broader context of cybersecurity. Within the set requirements and limitations, the Oculus tool was successfully implemented. This work thoroughly analyzes the process of development and implementation of this tool, its limitations, and their impact on overall effectiveness, which is subsequently tested and evaluated. Although the development process brought certain challenges, the testing results confirmed that the Oculus tool provides valuable outputs, thereby confirming its usability in the matter of improving cybersecurity.
|
|
|
Experimental testbed for side channel analysis
Vidlařová, Pavla ; Martinásek, Zdeněk (referee) ; Gerlich, Tomáš (advisor)
This thesis deals with getting familiar with the problematics of side channels. Theoretical part is described by basic concepts, types of side-channels and some possible side-channel attacks. Main focus is put on power side channel, which is used in practical part of the work. Followed by description of power analysis - simple power analysis and differential power analysis. Last part is description of workplace and all its parts, in which measurement will be performed. The practical part deals with realization of the workplace, measurement of power side channels on implementation of AES algorithm. Follows processing and visualisation of the values with SIde Channel Analysis toolKit.
|
|
|
Detection of attacks targeted at web applications
Jégrová, Eliška ; Gerlich, Tomáš (referee) ; Martinásek, Zdeněk (advisor)
This thesis is dealing with vulnerabilities of web applications. The aim of the work is to create tools for attack detection of certain attacks, specifically Same Origin Method Execution (SOME), XML Signature Wrapping attack, XPATH Injection, HTTP Response Smuggling and Server-Side Includes (SSI) injection. Another aim is to create logs that display detected attacks. In the first part, the theory is analyzed and vulnerabilities of chosen attacks are described including their misuse. In the next section there are web application implemented which contain vulnerabilities for successful execution of the attacks. Furthermore, in Python language detection methods are designed and developed for these attacks, which are accompanied by a log entry.
|
guest ::
RSS feed.