Overview
Explore advanced persistent penetration testing techniques in this 39-minute conference talk from Derbycon 2016. Delve into traditional pen testing methods before transitioning to Advanced Persistent Pen (APP) Testing. Learn about Java (De)Serialization, including reading objects from disk, understanding Java Serialized Object Format, and utilizing Input and Output Classes. Gain insights into using Java De-Compiler (JD-GUI) and methodology considerations. Examine a black box test example and case study, and discover post-exploitation techniques beyond Domain Admin. Get introduced to MailSniper, a powerful tool for penetration testing. Conclude with a summary of key takeaways and final thoughts on advanced persistent pentesting strategies.
Syllabus
Intro
Traditional Pen Testing
Advanced Persistent Pen (APP) Testing
Java (De)Serialization
Read the Object From Disk
Java Serialized Object Format
Input and Output Classes
Java De-Compiler (JD-GUI)
Methodology Thoughts
Black Box Test Example
Black Box Case Study
Post Exploitation Beyond DA
Introducing MailSniper
Summary and Conclusions