|
|
Application of Optimization Algorithms to Support Penetration Testing
Žáček, Dominik ; Lazarov, Willi
This paper presents a novel approach to support the pre-engagement phase of penetration testing, where testing tasks are assigned to penetration testers based on their knowledge and experience to ensure the most appropriate selection. To apply and verify our approach, we developed an automated tool that uses optimization algorithms for the task assignment process. Experimental testing shows that the application of algorithms based on optimization problems in the first phase of penetration testing could be a way to increase its effectiveness.
|
|
|
Utilizing Dynamic Analysis for Web Application Penetration Testing
Píš, Patrik ; Lazarov, Willi
This paper presents the design and implementation of a new modular tool, called PtWebDA, for dynamic analysis of web applications as one of the techniques used in penetration testing. Compared to other available tools and their limitations, our solution enables efficient rate limiting while also allowing testing of HTTP headers, cookie attributes, and content security policy directives. To verify its effectiveness in supporting manual web application penetration testing, we performed experimental testing in a controlled environment. The results of testing the presented tool PtWebDA are discussed in detail and highlight the key contributions of our solution.
|
|
|
Generating Synthetic Web Traffic
Koprda, Peter ; Žádník, Martin (referee) ; Hranický, Radek (advisor)
Web crawlers, známi aj ako webové pavúky alebo roboty, zohrávajú kľúčovú úlohu pri vyhľadávaní informácií, optimalizácii pre vyhľadávače a indexovaní webových stránok. Weboví roboti sa však môžu používať aj pri penetračnom testovaní webových aplikácií. Automatizácia procesu odhaľovania zraniteľností, identifikácia skrytých koncových bodov a efektívne mapovanie štruktúry webovej aplikácie môžu zvýšiť účinnosť penetračného testovania. Táto práca sa zameriava na vytvorenie nástroja určeného na generovanie neľudskej (syntetickej) webovej prevádzky. Tento nástroj bude určený aj na automatizované penetračné testovanie webových aplikácií pomocou webových robotov s využitím syntetickej webovej prevádzky na rozšírenie možností testovania. Okrem toho sa tento nástroj bude používať na hodnotenie účinosti bezpečnostných systémov, ako sú IDS, IPS a webové aplikačné firewally (WAF).
|
|
|
Phishing campaign design
Duong, Tuan Hung ; Michal,, TRTIL (referee) ; Ondrák, Viktor (advisor)
The thesis deals with implementing a tool to design and simulate phishing attacks. The first part of the thesis focuses on the history of phishing, phishing strategies, forms of attacks, and an analysis of previous incidents in the real world. Using the open-source phishing framework GoPhish, a phishing e-mail will be created. The design of the phishing e-mail will be based on the analysis of real phishing e-mails.
|
|
|
Security testing of IPv6 family protocols and related vulnerabilities
Vopálka, Matěj ; Phan, Viet Anh (referee) ; Jeřábek, Jan (advisor)
This thesis discusses the Internet Protocol version 6 (IPv6), especially the secure deployment of the protocol. The thesis deals with the shortcomings of IPv4 protocol and reason of development of IPv6 protocol. It covers topics like IPv6 addressing, structure of frames, the initial types of IPv6 extension headers. Additionally, the thesis explores related protocols to IPv6, such as NDP, SLAAC, adn DHCPv6. The thesis provides an introduction to penetration testing, describes the basic types of hackers and gives a general overview of information security attacks. The practical part is devoted to the development of an application for automatic vulnerability testing of IPv6 networks Penvuhu6. The tool is developed in Python programming language using Scapy library. Penvuhu6 has been tested in an emulated network environment with the GNS3 program. Three test scenarios were developed for the tool focusing on testing the passage of repetitive and misaligned headers, overlapping fragments, and Router advertisement and DHCPv6 advertisement messages. Penvuhu6 was tested on an emulated RouterOS device with basic and restrictive configurations.
|
|
|
Tools for application server penetration testing
Vašíček, Tomáš ; Šeda, Pavel (referee) ; Martinásek, Zdeněk (advisor)
This thesis explores the field of penetration testing of application protocols. The thesis introduces the application protocols FTP, SSH, SMTP, POP3 and IMAP and explores their possible vulnerabilities. Information about vulnerabilities is obtained from publicly available collections such as HackTricks and The Hacker Recipes, but also by studying the RFC documents of each protocol. Based on the vulnerabilities found, penetration testing checklists are constructed to provide guidance through the process of testing a given protocol. The main contribution of the work is the development of a modular automated tool ptapptest and another auxiliary tool ptntlmauth, which are used for penetration testing of the mentioned application protocols. Finally, the thesis concludes by testing the ptapptest tool on application servers discovered using the Shodan search engine.
|
|
|
Support tool for initial phase of penetration testing
Žáček, Dominik ; Gerlich, Tomáš (referee) ; Sikora, Pavel (advisor)
This thesis deals with the development of an advanced tool designed to make team penetration testing more efficient. The tool works by automatically assigning tasks to penetration testers based on skills and historical performance. The theoretical part of the thesis analyzes in detail various methods for solving the assignment problem, in particular the Hungarian method and linear programming. The theoretical part continues with the design of a two-step algorithm for task assignment. Then, the principle of the neural networks underlying the second step of the assignment is described in detail. Unique methods for generating two datasets have also been developed as part of the work. An interface for task assignment has been implemented and metrics to determine the quality of the assignment have been proposed. The result is a tool that significantly streamlines the assignment of tasks to penetration testers and increases the overall efficiency of penetration testing teams.
|
|
|
Interactive graphical environment for visualization of penetration testing
Klampár, Roman ; Martinásek, Zdeněk (referee) ; Lieskovan, Tomáš (advisor)
This thesis deals with the design, development and implementation of an interactive graphical environment to support penetration testing. The theoretical part describes the basic concepts of penetration testing, introduces the Penterep platform and the technologies used in the development, such as Vue 3, TypeScript and D3.js. The practical part focuses on the design of the data structure and architecture, as well as the implementation of the network graph with interactivity including drag and drop, zoom and pan. The implemented solution allows manipulation of the graph and its data, making it possible to change the graph structure. The thesis resulted in a package designed for flexible integration into existing projects such as the Penterep platform, into which the solution was also integrated. The thesis also analyses the performance of graph rendering using HTML5 Canvas and SVG. Rendering time, FPS and memory usage for different sizes of graphs were monitored during testing. The results show that HTML5 Canvas achieves better performance for larger amount of data. The aim of this work is to increase the efficiency of penetration testing, reduce the time consumption and simplify the necessary processes compared to the currently available tools.
|
|
|
Tool for Dynamic Analysis of Web Applications
Píš, Patrik ; Martinásek, Zdeněk (referee) ; Ilgner, Petr (advisor)
This master's thesis presents matters of penetration testing of web applications with the primary focus on the use of dynamic analysis. The thesis analyzes the current state of the art of web application security and focuses on both individual vulnerabilities and the protection mechanisms implemented by web applications. The main objective of the thesis is to design and implement an automated offensive tool that tests the resilience of a~web application to cyber threats. Compared to other available tools and their limitations, the proposed solution enables efficient rate limiting testing while also allowing testing of HTTP headers, cookie attributes, and content security policy directives. To validate its effectiveness in supporting manual penetration testing of web applications, a sandbox environment was created where experimental testing was conducted. The tool was also tested in a real production environment during penetration tests for real clients with positive feedback from professional penetration testers, demonstrating its practicality and usability in web application penetration testing.
|
|
|
Tools for Wi-Fi and IPv4 penetration testing
Jančík, David ; Lieskovan, Tomáš (referee) ; Martinásek, Zdeněk (advisor)
The master thesis deals with the design and implementation of support tools and methodologies for security penetration testing of Wi-Fi networks and IPv4 network infrastructure. The theoretical part covers penetration testing itself, approaches, phases, and types. It also describes the development of Wi-Fi networks and their security protocols. Various penetration tools for Wi-Fi networks and types of attacks are introduced. In the last theoretical part, a basic overview of IPv4 and tools for IPv4 scanning is provided. Initially, in the practical part, a proprietary methodology for Wi-Fi networks and IPv4 and tools for penetration testing are proposed. The Python programming language is defined, along with the output of various tools for the Penterep platform. A review of tools from the theoretical part is conducted to select suitable tools for new support tools. The implementation of penetration tools is based on the design diagram created. The conclusion summarizes the results achieved and suggestions for further expansion of tools for Wi-Fi and IPv4. The result of this thesis is the implementation of support tools and the design diagram for Wi-Fi networks and IPv4.
|
guest ::
