Pentesting the infrastructure (what does an attacker see?) [10 minutes]

The Why?

A penetration testing exercise was undertaken to check if there was a possibility of gaining unauthorized access to the setup

Black Box Penetration Testing

Port scanning

Port scan to discover services

Service enumeration

Service enumeration scan

HTTP basic Auth on ports 80 and 8080

HTTP basic Auth

Attempted brute force

  • Multiple dictionaries were tried against the HTTP Basic Auth

Hydra HTTP Basic Brute Force

Attempted brute force

  • Multiple dictionaries were tried against SSH as well

Hydra SSH Brute Force

Grey Box Penetration Testing

  • App credentials were provided

Verbose Errors

Verbose Kibana stack traces

Credential Leakage through MiTM

Request Response having the Basic Auth header

MITM decoded password

results matching ""

    No results matching ""