|
|
Open data gathering and how to use it in cybersecurity
Gašparová, Marta ; Malina, Lukáš (referee) ; Paučo, Daniel (advisor)
This thesis deals with Data Gathering from Open Sources which can be used in Cyber Security; an analysis of the OSINT tools; a creation of a Data Gathering Tool itself. The theoretical part of the thesis explores Data Gathering within the framework of Ethical Hacking and in which phase of Penetration Testing the Data Extraction is crucial. Following the analysis of the OSINT tools the Practical part of the thesis examines the Created Tool itself which was written in Python programming language. Via API interface the Tool allows interaction with other OSINT tools such as Censys, crt.sh or DNSDumpster. After entering the IP address or domain of the target company the Tool is able to search for basic information such as location, DNS names and running services. Based on the target URL the Tool is able to show both present and absent HTTP security headers on the given website and also based on the entered domain it can search for SSL/TLS certificates, subdomains and emails of the target company.
|
|
|
Cyber security testing in an environment of operational technology
Kuna, Erik ; Pospíšil, Ondřej (referee) ; Paučo, Daniel (advisor)
The topic of this work is security testing in connection with operational technology networks. The theoretical part covers description of operational technology, analysis of the current state of security in such networks and the methodology for penetration testing in this context. A section is devoted to protocols relating to said networks, comprising their characteristics, comparison of the same and related advantages and disadvantages. The theoretical part aids comprehension of the practical section, which details design and implementation of a suitable environment for testing and performing security in ICS/SCADA. Therein, emphasis is placed on security issues that pertain to the ModBus protocol.
|
|
|
Penetration test of camera system
Slaný, Radek ; Martinásek, Zdeněk (referee) ; Paučo, Daniel (advisor)
This bachelor thesis is dedicated to penetration testing of camera system ADEROS. Virtualized testing enviroment was created for purposes of penetration testing. This enviroment was reachable via VPN. In the first part of the practical part was performed scanning of the camera system. In the second part of the practical part was selected a methodology according to results from the first part. In this part is also described process of the penetration testing of the camera system as well as process of stress testing of the web interface. In third part of practical part were results of penetration testing processed into report. Main goal of this thesis is realization of penetration and stress testing, processing the results into clear report and recommendation to remediate found vulnerabilities.
|
|
|
Security exercises for ethical hacking
Paučo, Daniel ; Lieskovan, Tomáš (referee) ; Martinásek, Zdeněk (advisor)
This master thesis deals with penetration testing and ethical hacking. Regarding to the layout of the thesis there was prepared appropiate enviroment to realize Red/Blue team exercise, where Red team is in a role of the attacker and Blue team is in a role of defender of the network infrastructure. Whole infrastructure is implemented in a cloud virtual enviroment of VMware vSphere. Second part of the thesis consists of preparation and creation of the exercise to test web application security. Third part of the thesis is dedicating to the automatization of redteaming. Main focus of this master thesis is to demonstrate different attack vectors how to attack the network infrastructure and web applications and use of the defense mechanisms to avoid this kinds of attacks.
|
|
|
Specific modules for manual security testing support
Osmani, Jakub ; Safonov, Yehor (referee) ; Paučo, Daniel (advisor)
This bachelor thesis deals with the concept of penetration testing and the standards that coincide with it. The main aim of the theoretical part of this thesis is to describe the world of penetration testing, and the widely known OWASP documentation. Vulnerabilities from the top 10 vulnerabilities list as well as recommendations about secure web application development, from the Application Security Verification Standard (ASVS), are provided. The practical part of this thesis is focused on the development of three tools, that are to be used to help automate certain aspects of penetration testing.
|
|
|
Central processing and evaluation of security events
Žáček, Dominik ; Malina, Lukáš (referee) ; Paučo, Daniel (advisor)
The work discusses the topic of improving the security of IT networks. The shortcomings of some of the current solutions are revealed and selected facts are highlighted that can be used to improve the security. The main theme and objective was generally to improve the security of Flowmon customers' networks by sharing information about the perpetrators of security incidents detected by Flowmon ADS. The firm's customers include hospitals, for example, which may fall victim one after another to the same attacker or attack. By implementing a mechanism to share this information between customers, the attack could be avoided. A system has been designed and implemented to achieve this goal. At the beginning, there was one application sending security events for central processing. An application acting as a central server was then created to receive these events. A mechanism has been established to normalize the data received, based on which a number is created indicating the severity of the event. This mechanism can be configured with a configuration file for individual event types. Finally, this information is evaluated in one single piece of data, the so-called Future Misbehavior Probability score. Each attacker is therefore rated between 0 and 1, with 1 indicating the most serious attackers. Attackers are then grouped by score and can be shared with customers. This allows customers to take various countermeasures, such as pre-emptively blocking the attackers.
|
|
|
Identification of cyberbully
Paučo, Daniel ; Martinásek, Zdeněk (referee) ; Komosný, Dan (advisor)
This bachelor thesis deals with the options of determining the identity of the aggressor of the cyberbullying and it is focused at the analysis of the network information of the aggressor’s devices (computer, smartphone). Regarding the layout of the thesis was created application which is able to clone any website and consequently run it on the server of planetlab. Thanks to this "‘phishing"’ website, the application is able to get network information about all visitors and saves it for later usage. Most important part of the application is that it is working in realtime mode where shows the IP addresses which are currently connected to the website. Besides that it also shows information like location of the IP address: country, region, city and geolocation. The application also shows operating system, user agent, resolution of the browser a the number of visits of the website.
|
|
|
Central processing and evaluation of security events
Žáček, Dominik ; Malina, Lukáš (referee) ; Paučo, Daniel (advisor)
The work discusses the topic of improving the security of IT networks. The shortcomings of some of the current solutions are revealed and selected facts are highlighted that can be used to improve the security. The main theme and objective was generally to improve the security of Flowmon customers' networks by sharing information about the perpetrators of security incidents detected by Flowmon ADS. The firm's customers include hospitals, for example, which may fall victim one after another to the same attacker or attack. By implementing a mechanism to share this information between customers, the attack could be avoided. A system has been designed and implemented to achieve this goal. At the beginning, there was one application sending security events for central processing. An application acting as a central server was then created to receive these events. A mechanism has been established to normalize the data received, based on which a number is created indicating the severity of the event. This mechanism can be configured with a configuration file for individual event types. Finally, this information is evaluated in one single piece of data, the so-called Future Misbehavior Probability score. Each attacker is therefore rated between 0 and 1, with 1 indicating the most serious attackers. Attackers are then grouped by score and can be shared with customers. This allows customers to take various countermeasures, such as pre-emptively blocking the attackers.
|
|
|
Open data gathering and how to use it in cybersecurity
Gašparová, Marta ; Malina, Lukáš (referee) ; Paučo, Daniel (advisor)
This thesis deals with Data Gathering from Open Sources which can be used in Cyber Security; an analysis of the OSINT tools; a creation of a Data Gathering Tool itself. The theoretical part of the thesis explores Data Gathering within the framework of Ethical Hacking and in which phase of Penetration Testing the Data Extraction is crucial. Following the analysis of the OSINT tools the Practical part of the thesis examines the Created Tool itself which was written in Python programming language. Via API interface the Tool allows interaction with other OSINT tools such as Censys, crt.sh or DNSDumpster. After entering the IP address or domain of the target company the Tool is able to search for basic information such as location, DNS names and running services. Based on the target URL the Tool is able to show both present and absent HTTP security headers on the given website and also based on the entered domain it can search for SSL/TLS certificates, subdomains and emails of the target company.
|
|
|
Penetration test of camera system
Slaný, Radek ; Martinásek, Zdeněk (referee) ; Paučo, Daniel (advisor)
This bachelor thesis is dedicated to penetration testing of camera system ADEROS. Virtualized testing enviroment was created for purposes of penetration testing. This enviroment was reachable via VPN. In the first part of the practical part was performed scanning of the camera system. In the second part of the practical part was selected a methodology according to results from the first part. In this part is also described process of the penetration testing of the camera system as well as process of stress testing of the web interface. In third part of practical part were results of penetration testing processed into report. Main goal of this thesis is realization of penetration and stress testing, processing the results into clear report and recommendation to remediate found vulnerabilities.
|
guest ::
