Certified Penetration Testing Engineer - Mile2
Certified Penetration Testing Engineer - Mile2
Certified Penetration Testing Engineer - Mile2
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Certified</strong> <strong>Penetration</strong> <strong>Testing</strong> <strong>Engineer</strong><br />
Course Title: CPT<strong>Engineer</strong><br />
Duration: 5 days<br />
Language: English<br />
Class Format Options:<br />
Instructor-led classroom<br />
Live Online Training<br />
CBT - Pre-recorded Videos<br />
Prerequisites:<br />
• A minimum of 12 months<br />
experience in networking<br />
technologies<br />
• Sound knowledge of<br />
TCP/IP<br />
• Knowledge of Microsoft<br />
packages<br />
• Network+, Microsoft,<br />
Security+<br />
• Basic Knowledge of Linux<br />
is essential<br />
Student Materials:<br />
• Student Workbook<br />
• Student Lab Guide<br />
• Software/Tools (3 DVDs)<br />
Certification Exam:<br />
CPTE – <strong>Certified</strong> Pen <strong>Testing</strong><br />
<strong>Engineer</strong> (Thompson Prometric –<br />
Globally)<br />
OSCP – Offensive Security<br />
<strong>Certified</strong> Professional<br />
Certification Track:<br />
CPTE - <strong>Certified</strong> Pen <strong>Testing</strong><br />
<strong>Engineer</strong><br />
CPTC - <strong>Certified</strong> Pen <strong>Testing</strong><br />
Consultant<br />
CDFE - <strong>Certified</strong> Digital Forensics<br />
Examiner<br />
COURSE BENEFITS<br />
<strong>Certified</strong> <strong>Penetration</strong> <strong>Testing</strong> <strong>Engineer</strong><br />
graduates will obtain real world security<br />
knowledge enabling them to recognize<br />
vulnerabilities, exploit system weaknesses,<br />
and safeguard organizations against<br />
threats. Graduates will learn the art of<br />
Ethical Hacking with a professional edge<br />
(<strong>Penetration</strong> <strong>Testing</strong>).<br />
COURSE OVERVIEW<br />
CPT<strong>Engineer</strong>’s foundation is built firmly<br />
upon proven, hands-on, <strong>Penetration</strong><br />
<strong>Testing</strong> methodologies utilized by our<br />
international group of vulnerability<br />
consultants. <strong>Mile2</strong> trainers keep abreast of<br />
their field by practicing what they teach.<br />
They believe that, during training, an equal<br />
emphasis should be placed on both<br />
theoretical and real world experience if the<br />
student is going to succeed in mastering<br />
the necessary skills to become a<br />
CPT<strong>Engineer</strong>..<br />
The CPT<strong>Engineer</strong> presents information<br />
based on the 5 Key Elements of Pen<br />
<strong>Testing</strong>: Information Gathering, Scanning,<br />
Enumeration, Exploitation and Reporting.<br />
System vulnerabilities will be discovered<br />
using these tried and true steps alongside<br />
the use of the latest hacking techniques.<br />
This course also enhances the business<br />
skills needed by today’s students. It will<br />
enable them to identify protection<br />
opportunities, justify testing activities, and<br />
optimize security controls needed by<br />
businesses attempting to reduce risks.<br />
mile2 goes far beyond simply teaching<br />
students to “Hack”. Mere hacking was the<br />
norm for classes that were available before<br />
mile2’s introduced a new methodology in<br />
teaching this advanced skill.<br />
Also available as:<br />
LIVE VIRTUAL TRAINING<br />
Attend live classes from<br />
anywhere in the world!<br />
• Our Live Online classes make<br />
use of industry standard<br />
meeting and collaboration<br />
technologies. Students use<br />
simple web based tools to view<br />
slides, the instructors desktop,<br />
and videos all while holding live<br />
audio (and chat ) discussions<br />
with the instructor.<br />
• During lab time, each remote<br />
student has a dedicated high<br />
spec remote PC. Students have<br />
full desktop access as if they<br />
were sitting in-front a PC in the<br />
actual computer lab.<br />
• The instructor monitors each<br />
student’s PC as they perform<br />
the labs remotely. The<br />
instructor can access the remote<br />
student’s system to demonstrate<br />
and assist in the event<br />
questions arise.<br />
• Public and private text chat<br />
allows for increased interactivity<br />
between students and instructor<br />
during class in a way that<br />
prevents interruptions to other<br />
students.
Our course was developed around principles and behaviors used by malicious hackers. The course is<br />
taught with this in mind while keeping the focus on professional penetration testing and ensuring the<br />
security of information assets.<br />
UPON COMPLETION<br />
Upon proper completion of the course, CPT<strong>Engineer</strong> students will be able to confidently sit for the<br />
CPT<strong>Engineer</strong> certification exam (recommended). Students will enjoy an in-depth course that is<br />
continuously updated to maintain and incorporate changes in the security environment. This course offers<br />
up-to-date proprietary labs that have been researched and developed by leading security professionals<br />
from around the world.<br />
COURSE DETAILS<br />
Module 0: Course Overview<br />
Module 1: Business and Technical Logistics of<br />
Pen <strong>Testing</strong><br />
Module 2: Financial Sector Regulations<br />
Module 3: Information Gathering<br />
Module 4: Detecting Live Systems<br />
Module 5: Enumeration<br />
Module 6: Vulnerability Assessments<br />
Module 7: Malware, Trojans and BackDoors<br />
Module 8: Windows Hacking<br />
Module 9: Hacking UNIX/Linux<br />
Module 10: Advanced Exploitation Techniques<br />
OBJECTIVE OF LABORATORY SCENARIOS<br />
Module 11: Pen <strong>Testing</strong> Wireless Networks<br />
Module 12: Networks, Sniffing and IDS<br />
Module 13: Injecting the Database<br />
Module 14: Attacking Web Technologies<br />
Module 15: Report Writing<br />
Appendix 1: The Basics<br />
Appendix 2: Linux Fundamentals<br />
Appendix 3: Access Controls<br />
Appendix 4: Protocols<br />
Appendix 5: Cryptography<br />
Appendix 6: Economics and Law<br />
This is an intensive hands-on class. Students may spend 20 hours or more performing labs that walk them<br />
through a real world Pen <strong>Testing</strong> model. Labs begin with simple activities and move on to more complex<br />
procedures. During labs, students move through a detailed Lab Guide containing screen shots, commands<br />
to be typed, and steps students should take. Students will make use of scores of traditional and cutting<br />
edge Pen <strong>Testing</strong> tools (GUI and command line, Windows and Linux) as they make their way through<br />
mile2’s time-tested methodology. (See Outline below for tool titles) Customers can be confident that as<br />
new methods arise in the security world, our labs are updated to reflect them.<br />
2
DETAILED COURSE OUTLINE<br />
Module 0 - Course Overview<br />
0.1 Introduction<br />
0.2 Courseware Materials<br />
0.3 Course Overview – Appendix Items<br />
0.4 Course Overview<br />
0.5 Course Objectives<br />
0.6 Exam Information<br />
0.7 Learning Aids<br />
0.8 Labs<br />
0.9 Class Prerequisites<br />
0.10 Student Facilities<br />
0.11 Explanation Concerning Documentation<br />
Module 1 – Business and Technical Logistics of<br />
Pen <strong>Testing</strong><br />
1.1 Overview<br />
1.2 What is a <strong>Penetration</strong> Test?<br />
1.3 Benefits of a <strong>Penetration</strong> Test<br />
1.4 Data Breach Insurance<br />
1.5 CSI Computer Crime Survey<br />
1.6 Hacking Examples and Associated Costs<br />
1.7 Statistics on Internal Breaches<br />
1.8 Stat<br />
1.9 Trend at the End of 2008<br />
1.10 The Evolving Threat<br />
1.11 Security Vulnerability Life Cycle<br />
1.12 Exploit Timeline<br />
1.13 Zombies and Botnets<br />
1.14 How are Botnet’s Growing?<br />
1.15 Types of <strong>Penetration</strong> <strong>Testing</strong><br />
1.16 “Hacking-Life-Cycle”<br />
1.17 <strong>Penetration</strong> <strong>Testing</strong> Methodology<br />
1.18 Other <strong>Penetration</strong> <strong>Testing</strong> Methodologies<br />
1.19 Hacker vs. <strong>Penetration</strong> Tester<br />
1.20 It is not always about the Tools!<br />
1.21 Website Reviews<br />
1.22 CIOview and SecurityNOW! SX<br />
1.23 Seven Management Errors<br />
1.24 What does the future hold?<br />
1.25 Review<br />
1.26 Lab 1 – Getting Set Up<br />
1.26.1 Exercise 1 – Discovering your class share<br />
1.26.2 Exercise 2 – Discovering your student DVD’s<br />
1.26.3 Exercise 3 – VM Image Preparation<br />
1.26.4 Exercise 4 – Naming and Subnet Assignments<br />
1.26.5 Exercise 5 – PDF <strong>Penetration</strong> <strong>Testing</strong><br />
Methodology Review<br />
Module 2 – Financial Sector Regulations<br />
2.1 Overview<br />
2.2 IT Governance Best Practices<br />
2.3 IT Risk Management<br />
2.4 Types of Risks<br />
2.5 Approaches to Risk Management<br />
2.6 Information Security Risk Evaluation<br />
2.7 Improving Security Posture<br />
2.8 Risk Evaluation Activities<br />
2.9 Risk Assessment<br />
2.10 Information Gathering<br />
2.11 Data Classification<br />
2.12 Threats and Vulnerabilities<br />
2.13 Analytical Methods<br />
2.14 Evaluate Controls<br />
2.15 Risk Ratings<br />
2.16 Important Risk Assessment Practices<br />
2.17 Compliance<br />
2.18 Many Regulations<br />
2.19 Basel II<br />
2.20 Gramm-Leach-Bliley Act 1999<br />
2.21 Federal Financial Examination Institution Council<br />
2.22 Sarbanes-Oxley Act (SOX 404) 2002<br />
2.23 ISO 27002<br />
2.24 PCI-DSS<br />
2.25 Total Cost of Compliance<br />
2.26 What does this mean to the tech?<br />
2.27 Review<br />
2.28 Lab 2 – Linux Fundamentals<br />
2.28.1 Exercise 1 – ifconfig<br />
2.28.2 Exercise 2 – Mounting a USB Thumb Drive<br />
2.28.3 Exercise 3 – Mount a Windows Partition<br />
2.28.4 Exercise 4 – VNC Server<br />
2.28.5 Exercise 5 – Preinstalled Tools in BackTrack3<br />
Module 3 – Information Gathering<br />
3.1 Overview<br />
3.2 What information does the Hacker want?<br />
3.3 Methods of Obtaining Information<br />
3.4 Physical Access<br />
3.5 Social <strong>Engineer</strong>ing<br />
3.6 Social <strong>Engineer</strong>ing via MySpa<br />
3.7 Social <strong>Engineer</strong>ing via Facebook<br />
3.8 Other Social Networks from around the world!<br />
3.9 Identity Theft and MySpace<br />
3.10 Instant Messengers and Chats<br />
3.11 Digital Access<br />
3.12 Passive vs Active Reconnaissance<br />
3.13 Footprinting Defined<br />
3.14 KartOO<br />
3.15 Maltego<br />
3.16 Firecat – Firefox Catalog of Auditing Extensions<br />
3.17 Footprinting Tools<br />
3.18 Johnny.ihackstuff.com<br />
3
3.19 Google Hacking<br />
3.20 SPUD<br />
3.21 Wikto for Google Hacking<br />
3.22 Blogs, Forums and Newsgroups<br />
3.23 The Wayback Machine<br />
3.24 Domain Name Registration<br />
3.25 WHOIS<br />
3.26 Dirk-loss – Online Tools<br />
3.27 Dnsstuff<br />
3.28 Central Ops<br />
3.29 DNS Database Record Types<br />
3.30 Nslookup<br />
3.31 Dig<br />
3.32 Traceroute<br />
3.33 VisualRoute<br />
3.34 Opus One Traceroute Tools<br />
3.35 People Search Engines<br />
3.36 EDGAR<br />
3.37 Company House<br />
3.38 Reputation Authority<br />
3.39 Intelius – Background Check<br />
3.40 Netcraft<br />
3.41 Countermeasures<br />
3.42 Review<br />
3.43 Lab 3 – Information Gathering<br />
3.43.1 Exercise 1 – Google Queries<br />
3.43.2 Exercise 2 – Footprinting Tools<br />
3.43.3 Exercise 3 – Getting Everything You Need with<br />
Maltego<br />
3.43.4 Exercise 4 – Preparing Fi<br />
3.43.5 Exercise 5 – Turn in your Documentation<br />
Module 4 – Detecting Live Systems<br />
4.1 Overview<br />
4.2 Introduction to Port Scanning<br />
4.3 Port Scan Tips<br />
4.4 Expected Results<br />
4.5 Organizing the Results<br />
4.6 Leo Meta-Text Editor<br />
4.7 Free Mind<br />
4.8 IHMC CmapTools<br />
4.9 Popular Port Scanning Tools<br />
4.10 Online Ping<br />
4.11 NMAP - Ping<br />
4.12 ICMP Disabled?<br />
4.13 NMAP TCP Connect Scan<br />
4.14 TCP Connect Port Scan<br />
4.15 NMAP Half-Open Scan<br />
4.16 Half-Open Scan<br />
4.17 Firewalled Ports<br />
4.18 Iron Geek – Hacking Illustrated<br />
4.19 NMAP Service Version Detection<br />
4.20 Addition NMAP Scans<br />
4.21 Saving NMAP Results<br />
4.22 NMAP UDP Scans<br />
4.23 UDP Port Scan<br />
4.24 NMAP Idle Scan<br />
4.25 Superscan<br />
4.26 Look@LAN<br />
4.27 Unicornscan<br />
4.28 Hping2<br />
4.29 AutoScan<br />
4.30 Xprobe2<br />
4.31 What is Fuzzy Logic?<br />
4.32 P0f<br />
4.33 AMAP<br />
4.34 Fragrouter<br />
4.35 Countermeasures<br />
4.36 Review<br />
4.37 Lab 4 – Scanning<br />
4.37.1 Exercise 1 – Leo<br />
4.37.2 Exercise 2 – Look@LAN<br />
4.37.3 Exercise 3 – Zenmap<br />
4.37.4 Exercise 4 – Zenmap in BT3<br />
4.37.5 Exercise 5 – NMAP Command Line<br />
4.37.6 Exercise 6 – Hping2<br />
4.37.7 Exercise 7 – Unicornscan<br />
4.37.8 Exercise 8 – Turn in your<br />
Module 5 - Enumeration<br />
5.1 Overview<br />
5.2 Banner Grabbing with Telnet<br />
5.3 Banner Grabbing with Sup<br />
5.4 HTTPrint<br />
5.5 SMTP Server Banner Grabbing<br />
5.6 DNS Enumeration<br />
5.7 Zone Transfers<br />
5.8 Backtrack DNS Enumeration<br />
5.9 Countermeasure: DNS Zone Transfer<br />
5.10 SNMP Insecurity<br />
5.11 SNMP Enumeration Tools<br />
5.12 SNMP Countermeasures<br />
5.13 Active Directory Enumeration<br />
5.14 LDAPMiner<br />
5.15 Active Directory Countermeasures<br />
5.16 Null Sessions<br />
5.17 Syntax for Null Sessions<br />
5.18 Viewing Shares<br />
5.19 Null Session Tools<br />
5.20 Cain and Abel<br />
5.21 NAT Dictionary Attack Tool<br />
5.22 THC-Hydra<br />
5.23 Injecting the Abel Service<br />
5.24 Null Session Countermeasures<br />
5.25 Tools Summary<br />
5.26 Review<br />
4
5.27 Lab 5 – Enumeration<br />
5.27.1 Exercise 1 – Banner Grabbi<br />
5.27.2 Exercise 2 – Zone Transfers<br />
5.27.3 Exercise 3 – SNMP Enumeration<br />
5.27.4 Exercise 4 – LDAP Enumeration<br />
5.27.5 Exercise 5 – Null Sessions<br />
5.27.6 Exercise 6 – SMB Enumeration<br />
5.27.7 Exercise 7 – SMTP Enumeration<br />
5.27.8 Exercise 8 – Maltego<br />
5.27.9 Exercise 9 – Turn in Your Documentation<br />
Module 6 – Vulnerability Assessments<br />
6.1 Overview<br />
6.2 Vulnerabilities in Net<br />
6.3 Vulnerabilities in Networks<br />
6.4 Vulnerability Assessment Introduction<br />
6.5 <strong>Testing</strong> Overview<br />
6.6 Staying Abreast: Security Alerts<br />
6.7 Vulnerability Scanners<br />
6.8 Nessus<br />
6.9 Saint<br />
6.10 Retina<br />
6.11 Qualys Guard<br />
6.12 GFI LANguard<br />
6.13 Scanner Comparison<br />
6.14 Microsoft Baseline Analyzer<br />
6.15 Dealing with the Results<br />
6.16 Patch Management<br />
6.17 Shavlik HFNetChkPro<br />
6.18 Patching with GFI LANguard<br />
6.19 Review<br />
6.20 Lab 6 – Vulnerability Assessment<br />
6.20.1 Exercise 1 – Running Nessus in Windows<br />
6.20.2 Exercise 2 – Running Saint in Linux<br />
6.20.3 Exercise 3 – Turn in your Documentation<br />
Module 7 – Malware, Trojans and BackDoors<br />
7.1 Overview<br />
7.2 Distributing Malware<br />
7.3 Malware Capabilities<br />
7.4 Auto-Starting Malware<br />
7.5 Countermeasure to Auto<br />
7.6 Netcat<br />
7.7 Netcat Commands<br />
7.8 Executable Wrappers<br />
7.9 Historically Wrapped Trojans<br />
7.10 Restorator<br />
7.11 EXE Icon<br />
7.12 Infectious CD-ROM Technique<br />
7.13 Trojan Examples<br />
7.14 Avoiding Detection<br />
7.15 BPMTK<br />
7.16 Malware Countermeasures<br />
7.17 Gargoyle Investigator<br />
7.18 Spy Sweeper Enterprise<br />
7.19 Port Monitoring Software<br />
7.20 File Protection Software<br />
7.21 Windows File Protection<br />
7.22 Windows Software Restriction Policies<br />
7.23 Company Surveillance Software<br />
7.24 Hardware-Based Malware Detectors<br />
7.25 Countermeasure –<br />
7.26 Review<br />
7.27 Lab 7 – Malware –<br />
7.27.1 Exercise 1 – Netcat and its uses<br />
7.27.2 Exercise 2 – Exploiting and Pivoting our Attack<br />
7.27.3 Exercise 3 – Creating a Trojan<br />
7.27.4 Exercise 4 – Turn in your Documentation<br />
Module 8 – Windows Hacking<br />
8.1 Overview<br />
8.2 Types of Password Attacks<br />
8.3 Keystroke Loggers<br />
8.4 Password Guessing<br />
8.5 Password Cracking<br />
8.6 LM Hash Encryption<br />
8.7 NT Hash Encryption<br />
8.8 Syskey<br />
8.9 Cracking Techniques<br />
8.10 Rainbow Tables<br />
8.11 Creating Rainbow Tables<br />
8.12 Free Rainbow Tables<br />
8.13 Hash Insertion Attack<br />
8.14 Password Sniffing<br />
8.15 Windows Authentication Protocols<br />
8.16 Breaking Kerberos<br />
8.17 Monitoring Logs<br />
8.18 Hard Disk Security<br />
8.19 Breaking Hard Disk Encryption<br />
8.20 Tokens and Smart Cards<br />
8.21 Covering your Tracks<br />
8.22 Disabling Auditing<br />
8.23 Clearing the Event Log<br />
8.24 Alternate Data Streams<br />
8.25 ADS Countermeasures<br />
8.26 Stream Explorer<br />
8.27 Steganography<br />
8.28 Steganography Tools<br />
8.29 Shredding Files Left Behind<br />
8.30 Leaving No Local Trace<br />
8.31 Anonymizers<br />
8.32 StealthSurfer II Privacy Stick<br />
8.33 TOR<br />
8.34 Janus VM<br />
8.35 Encrypted Tunnel Notes<br />
8.36 Rootkits<br />
5
8.37 Windows Rootkit Countermeasures<br />
8.38 Review<br />
8.39 Lab 8 – Hacking Windows<br />
8.39.1 Exercise 1 – Cracking a Windows Password<br />
with Linux<br />
8.39.2 Exercise 2 – Cracking a Windows Password<br />
with Cain and Abel<br />
8.39.3 Exercise 3 – Covering your tracks<br />
8.39.4 Exercise 4 – Alternate Data Streams<br />
8.39.5 Exercise 5 – Steganography<br />
8.39.6 Exercise 6 – Understanding Rootkits<br />
8.39.7 Exercise 7 – Turn in your Documentation<br />
Module 9 – Hacking UNIX/Linux<br />
9.1 Overview<br />
9.2 Introduction<br />
9.3 Linux Introduction<br />
9.4 File System Structure<br />
9.5 Kernel<br />
9.6 Processes<br />
9.7 Starting and Stopping Processes<br />
9.8 Interacting with Processes<br />
9.9 Accounts and Groups<br />
9.10 Password and Shadow File Formats<br />
9.11 More on Accounts and Groups<br />
9.12 Linux and UNIX Permissions<br />
9.13 Set UID Programs<br />
9.14 Trust Relationships<br />
9.15 Logs and Auditing<br />
9.16 Common Network Services<br />
9.17 Remote Access Attacks<br />
9.18 Brute-Force Attacks<br />
9.19 Brute-Force Countermeasures<br />
9.20 X Window System<br />
9.21 X Insecurities Countermeasures<br />
9.22 Network File System<br />
9.23 NFS in Action<br />
9.24 NFS Countermeasure<br />
9.25 Passwords and Encryption<br />
9.26 Password Cracking Tools<br />
9.27 Salting<br />
9.28 Symbolic Link<br />
9.29 Symlink Countermeasure<br />
9.30 Core File Manipulation<br />
9.31 Shared Libraries<br />
9.32 Kernel Flaws<br />
9.33 File and Directory Permissions<br />
9.34 SUID Files Countermeasure<br />
9.35 File and Directory Permissions<br />
9.36 World-Writable Files Countermeasure<br />
9.37 Clearing the Log Files<br />
9.38 Rootkits – User and Kernel<br />
9.39 Rootkit Countermeasure<br />
9.40 Review<br />
9.41 Lab 10 – Hacking UNIX/Linux<br />
9.41.1 Exercise 1 – Setup and Recon<br />
9.41.2 Exercise 2 – Making use of a poorly configured<br />
service.<br />
9.41.3 Exercise 3 – Cracking a Linux Password<br />
9.41.4 Exercise 4 – Creating a simple backdoor and<br />
covering your tracks.<br />
9.41.5 Exercise 5 – Turn in your Documentation<br />
Module 10 – Advanced Exploitation Techniques<br />
10.1 Overview<br />
10.2 How Do Exploits Work?<br />
10.3 Format String<br />
10.4 Race Conditions<br />
10.5 Memory Organization<br />
10.6 Buffer Overflows<br />
10.7 Buffer Overflow Illustration<br />
10.8 How Stacks Work<br />
10.9 Stack Function Illustrated<br />
10.10 Buffer Overflow Illustration #2<br />
10.11 Heap Overflows<br />
10.12 Heap Spraying<br />
10.13 Prevention<br />
10.14 Secure Code Reviews<br />
10.15 Review Process<br />
10.16 Know the Vulnerabilities<br />
10.17 Know the Business Risks<br />
10.18 When to Conduct the Review<br />
10.19 Who should be Involved<br />
10.20 What to Look For<br />
10.21 Fixing the Issues<br />
10.22 Automated Tools<br />
10.23 Stages of Exploit Development<br />
10.24 Shellcode Development<br />
10.25 Metasploit<br />
10.26 Metasploit - Mete<br />
10.27 Fuzzers<br />
10.28 SaintExploit<br />
10.29 Core Impact<br />
10.30 Tools Comparison<br />
10.31 Review<br />
10.32 Lab 10 – Advanced Exploitation Techniques<br />
10.32.1 Exercise 1 – Metasploit Command Line<br />
10.32.2 Exercise 2 – Metasploit Web Interface<br />
10.32.3 Exercise 3 – Milw0rm<br />
10.32.4 Exercise 4 – SaintExploit<br />
10.32.5 Exercise 5 – Core Impact<br />
10.32.6 Exercise 6 – Turn in your Documentation<br />
Module 11 – Pen <strong>Testing</strong> Wireless Networks<br />
11.1 Overview<br />
11.2 Standards Comparison<br />
6
11.3 SSID<br />
11.4 MAC Filtering<br />
11.5 WEP<br />
11.6 Weak IV Packets<br />
11.7 XOR Basics<br />
11.8 WEP Weaknesses<br />
11.9 How WPA Improves on WEP<br />
11.10 TKIP<br />
11.11 The WPA MIC Vulnerability<br />
11.12 WPA2<br />
11.13 WPA and WPA2 Modes<br />
11.14 WPA-PSK Encryption<br />
11.15 LEAP<br />
11.16 LEAP Weaknesses<br />
11.17 NetStumbler<br />
11.18 KNSGEM<br />
11.19 Vistumbler<br />
11.20 Kismet<br />
11.21 OmniPeek Personal<br />
11.22 Aircrack-ng Suite<br />
11.23 Airodump-ng<br />
11.24 Aireplay-ng<br />
11.25 DoS Attack<br />
11.26 Aircrack-ng<br />
11.27 Aircrack for Windows<br />
11.28 Attacking WEP<br />
11.29 Attacking WPA<br />
11.30 coWPAtty<br />
11.31 Exploiting Cisco LEAP<br />
11.32 asleap<br />
11.33 WiFiZoo<br />
11.34 Wesside-ng<br />
11.35 www.wirelessdefence.org<br />
11.36 Typical Network Blueprint<br />
11.37 EAP Types<br />
11.38 EAP Advantages/Disadvantages<br />
11.39 EAP/TLS Deployment<br />
11.40 Aruba Products<br />
11.41 Airwave – RAPIDS Rogue Detection Module<br />
11.42 Review<br />
11.43 Lab 11 – Pen <strong>Testing</strong> Wireless Networks<br />
11.43.1 Exercise 1 – War Driving<br />
11.43.2 Exercise 2 – WEP Cracking<br />
11.43.3 Exercise 3 – Turn in your Documentation<br />
Module 12 – Networks, Sniffing and IDS<br />
12.1 Overview<br />
12.2 Packet Sniffers<br />
12.3 Pcap and WinPcap<br />
12.4 Wireshark<br />
12.5 TCP Stream Re-assembling<br />
12.6 Packetyzer<br />
12.7 tcpdump and windump<br />
12.8 Omnipeek<br />
12.9 Cain and Abel<br />
12.10 Active Sniffing Methods<br />
12.11 Switch Table Flooding<br />
12.12 ARP Cache Poisoning<br />
12.13 ARP Normal Operation<br />
12.14 ARP Cache Poisoning in Action<br />
12.15 ARP Cache Poisoning with Linux<br />
12.16 Countermeasures<br />
12.17 Using Cain and Abel for ARP Cache Poisoning<br />
12.18 Ettercap<br />
12.19 Dsniff Suite<br />
12.20 Dsniff in Action<br />
12.21 MailSnarf, MsgSnarf and FileSnarf<br />
12.22 What is DNS Spoofing?<br />
12.23 DNS Spoofing<br />
12.24 Session Hijacking<br />
12.25 Breaking SSL<br />
12.26 Capturing VoIP<br />
12.27 Intercepting VoIP<br />
12.28 Intercepting RDP<br />
12.29 Routing Protocols Analysis<br />
12.30 Countermeasures for Sniffing<br />
12.31 Evading the Firewall and IDS<br />
12.32 Fragmentation<br />
12.33 Evading with Encryption<br />
12.34 Newer Firewall Capabilities<br />
12.35 New Age Protection<br />
12.36 Bastion Host<br />
12.37 Spyware Prevention System<br />
12.38 Intrusion ‘SecureHost’ Overview<br />
12.39 IPS Overview<br />
12.40 Review<br />
12.41 Lab 12 – Networks, Sniffing and IDS<br />
12.41.1 Exercise 1 – Capture FTP Traffic<br />
12.41.2 Exercise 2 – ARP Cache Poisoning Basics<br />
12.41.3 Exercise 3 – ARP Cache Poisoning<br />
12.41.4 Exercise 4 – Turn in your Documentation<br />
Module 13 – Injecting the Database<br />
13.1 Overview<br />
13.2 Vulnerabilities and Common Attacks<br />
13.3 SQL Injection<br />
13.4 Business Impacts of SQL Injection<br />
13.5 Why SQL Injection?<br />
13.6 Database Enumeration<br />
13.7 Extended Stored Proc<br />
13.8 Direct Attacks<br />
13.9 SQL Connection Properties<br />
13.10 Default Ports<br />
13.11 Obtaining Sensitive Info<br />
13.12 SQL Ping2<br />
13.13 osql.exe<br />
7
13.14 Query Analyzers<br />
13.15 SQLExec<br />
13.16 www.petefinnegan.com<br />
13.17 Metasploit<br />
13.18 Finding and Fixing SQL Injection<br />
13.19 Hardening Databases<br />
13.20 Review<br />
13.21 Lab 13 – Attacking the Database<br />
13.21.1 Exercise 1 – Login Bypass<br />
13.21.2 Exercise 2 – Verbose Table Modific<br />
13.21.3 Exercise 3 – Denial of Service<br />
13.21.4 Exercise 4 – Data Tampering<br />
13.21.5 Exercise 5 – Turn in your Documentation<br />
Module 14 – Attacking Web Technologies<br />
14.1 Overview<br />
14.2 Web Server Market Share<br />
14.3 OWASP Top 10<br />
14.4 Progression of the Professional Hacker<br />
14.5 The Anatomy of a Web Application Attack<br />
14.6 Components of a Web Application System<br />
14.7 Query String<br />
14.8 URL Mappings<br />
14.9 Information Gathering<br />
14.10 Changing URL Login Parameters<br />
14.11 URL Login - Horizontal Attack<br />
14.12 URL Login – Vertical Escalation<br />
14.13 Cross-Site Scripting<br />
14.14 Stored XSS Illustrated<br />
14.15 Reflected XSS Illustrated<br />
14.16 Business Impacts of XSS<br />
14.17 Finding and Fixing XSS<br />
14.18 Injection Flaws<br />
14.19 Unvalidated Input<br />
14.20 Unvalidated Input Illustrated<br />
14.21 Business Impacts of Unvalidated Input<br />
14.22 Finding and Fixing Unvalidated Input<br />
14.23 Attacks against IIS<br />
14.24 IIS Directory Traversal<br />
14.25 Unicode<br />
14.26 IIS Logs<br />
14.27 N-Stalker<br />
14.28 NTO Spider<br />
14.29 HTTrack Website Copier<br />
14.30 Wikto<br />
14.31 Burp Proxy<br />
14.32 Brutus<br />
14.33 Dictionary Maker<br />
14.34 Cookies<br />
14.35 Acunetix Web Scanner<br />
14.36 Eclipse for Code Review<br />
14.37 WebScarab<br />
14.38 Samurai<br />
14.39 OWASP Web Application <strong>Penetration</strong> Checklist<br />
14.40 Review<br />
14.41 Lab 14 – Attacking Web Technologies<br />
14.41.1 Exercise 1 – Input Manipulation<br />
14.41.2 Exercise 2 – Shovelling a Shell<br />
14.41.3 Exercise 3 – Horizontal Privilege Escalation<br />
14.41.4 Exercise 4 – Vertical Privilege Escalation<br />
14.41.5 Exercise 5 – Cross Site Scripting<br />
14.41.6 Exercise 6 – Turn in your Documentation<br />
Module 15 – Report Writing<br />
15.1 Overview<br />
15.2 Additional Items to Consider<br />
15.3 The Report<br />
15.4 Support Documentation<br />
15.5 Analyzing Risk<br />
15.6 Report Results Matrix<br />
15.7 Findings Matrix Examples<br />
15.8 Delivering the Report<br />
15.9 Stating the Fact<br />
15.10 Recommendations<br />
15.11 Executive Summary<br />
15.12 Technical Report<br />
15.13 Table of Contents<br />
15.14 Summary of Weaknesses Identified<br />
15.15 Scope of <strong>Testing</strong><br />
15.16 Summary of Recommendations<br />
15.17 Summary Observations<br />
15.18 Detailed Findings<br />
15.19 Strategic and Tactical Directives<br />
15.20 Statement of Responsibility<br />
15.21 Appendices<br />
15.22 Review<br />
Appendix 1 – The Basics<br />
16.1 Overview<br />
16.2 The Growth of Environments and Security<br />
16.3 Our Motivation<br />
16.4 The Goal<br />
16.5 CIA Triad in Detail<br />
16.6 Holistic Security<br />
16.7 Security Definitions<br />
16.8 Definitions Relationships<br />
16.9 TCP/IP Basics<br />
16.9.1 Ping<br />
16.9.2 TCP/IP Stack<br />
16.9.3 TCP/IP for Security Administrators<br />
16.9.4 Ports and Services<br />
16.9.5 TCP 3-Way Handshake<br />
16.9.6 TCP Flags<br />
16.10 Malware<br />
16.10.1 Types of Malware<br />
16.10.2 Types of Viruses<br />
8
16.10.3 Spyware<br />
16.10.4 Trojan Horse<br />
16.10.5 Back Doors<br />
16.11 Denial of Service<br />
16.11.1 DDoS Issues<br />
16.12 Network Devices and Sniffers<br />
16.12.1 Packet Sniffers<br />
16.12.2 Passive Sniffing<br />
16.12.3 Active Sniffing<br />
16.13 Firewalls, IDS and IPS<br />
16.13.1 Firewall<br />
16.13.2 IDS<br />
16.13.3 IPS<br />
16.13.4 Firewall Types<br />
16.13.5 Packet Filterin<br />
16.13.6 Proxy Firewalls<br />
16.13.7 Circuit-Level Proxy Firewall<br />
16.13.8 SOCKS<br />
16.13.9 Application-Layer Proxy<br />
16.13.10 Stateful<br />
16.13.11 Dynamic Packet<br />
16.13.12 Kernel Proxies<br />
16.13.13 Firewall Placement<br />
16.13.14 Screened Host<br />
16.13.15 Multi- or Dual<br />
16.13.16 Screened Subnet<br />
16.14 Wireless Standards<br />
16.14.1 WiFi Network Types<br />
16.14.2 Widely Deployed Standards<br />
16.14.3 Standards Comparison<br />
16.14.4 802.11n – MIMO<br />
16.15 Database Basics<br />
16.15.1 Overview of Database Server<br />
16.15.2 Types of Databases<br />
16.15.3 Components of the<br />
16.16 Review<br />
Appendix 2 – Linux Fundamentals<br />
17.1 Overview<br />
17.2 Linux History<br />
17.3 The GNU Operating System<br />
17.4 Linux Introduction<br />
17.5 Linux GUI Desktops<br />
17.6 Linux Shell<br />
17.7 Linux Bash Shell<br />
17.8 Books on Linux<br />
17.9 Password and Shadow File Formats<br />
17.10 User Account Management<br />
17.11 Changing your Password<br />
17.12 Configuring your Network Interface<br />
17.13 Mounting Drives<br />
17.14 Tarballs and Zips<br />
17.15 Compiling Programs<br />
17.16 Typical Linux Operating Systems<br />
17.17 Gentoo<br />
17.18 VLOS<br />
17.19 Why use Linux Boot CD’s?<br />
17.20 FrozenTech’s Complete Distro List<br />
17.21 Backtrack<br />
17.22 Review<br />
Appendix 3 – Access Controls<br />
18.1 Overview<br />
18.2 Role of Access Control<br />
18.3 Definitions<br />
18.4 Categories of Access Controls<br />
18.5 Physical Controls<br />
18.6 Logical Controls<br />
18.7 “Soft” Controls<br />
18.8 Security Roles<br />
18.9 Steps to Granting Access<br />
18.10 Access Criteria<br />
18.11 Physical Access Control Mechanisms<br />
18.12 Biometric System Types<br />
18.13 Synchronous Token<br />
18.14 Asynchronous Token<br />
18.15 Memory Cards<br />
18.16 Smart Cards<br />
18.17 Cryptographic Keys<br />
18.18 Logical Access Controls<br />
18.19 OS Access Controls<br />
18.20 Review<br />
Appendix 4 – Protocols<br />
19.1 Overview<br />
19.2 OSI – Application Layer<br />
19.3 OSI – Presentation Layer<br />
19.4 OSI – Session Layer<br />
19.5 OSI – Transport Layer<br />
19.6 OSI – Network Layer<br />
19.7 OSI – Data Link<br />
19.8 OSI – Physical Layer<br />
19.9 Protocols at Each OSI Model Layer<br />
19.10 TCP/IP Suite<br />
19.11 Port and Protocol Relationship<br />
19.12 Conceptual Use of Ports<br />
19.13 UDP vs TCP<br />
19.14 ARP<br />
19.15 ICMP<br />
19.16 DNS<br />
19.17 SSH<br />
19.18 SNMP<br />
19.19 SMTP<br />
19.20 Review<br />
Appendix 5 – Cryptography<br />
9
20.1 Overview<br />
20.2 Introduction<br />
20.3 Encryption<br />
20.4 Cryptographic Definitions<br />
20.5 The Science of Secret Communications<br />
20.6 Encryption Algorithm<br />
20.7 Implementation<br />
20.8 Symmetric Encryption<br />
20.9 Symmetric Downfalls<br />
20.10 Symmetric Algorithms<br />
20.11 Crack Times<br />
20.12 Asymmetric Encryption<br />
20.13 Asymmetric Advantages<br />
20.14 Asymmetric Disadvantages<br />
20.15 Asymmetric Algorithms<br />
20.16 Key Exchange<br />
20.17 Symmetric vs Asymmetric<br />
20.18 Hybrid Encryption<br />
20.19 Hashing<br />
20.20 Common Hash Algorithms<br />
20.21 Birthday Attack<br />
20.22 Hash Demo<br />
20.23 Security Issues in Hashing<br />
20.24 Hash Collisions<br />
20.25 MD5 Collision Creates Rogue Certificate<br />
Authority<br />
20.26 More Hybrid Encryption<br />
20.27 Digital Signatures<br />
20.28 SSL/TLS<br />
20.29 SSL Connection Setup<br />
20.30 SSL Hybrid Encryption<br />
20.31 SSH<br />
20.32 IPSec<br />
20.33 PKI<br />
20.34 Quantum Cryptography<br />
20.35 Attack Vectors<br />
20.36 Network Attacks<br />
20.37 More Attacks<br />
20.38 Review<br />
20.39 A5 Lab – Cryptography<br />
20.39.1 Exercise 1 – Caesar Encryption<br />
20.39.2 Exercise 2 – RC4 Encryption<br />
20.39.3 Exercise 3 – IPSec Deployment<br />
Appendix 6 – Economics and Law<br />
21.1 Overview<br />
21.2 Security Incentives and Motives<br />
21.3 What is Your Weakest Link?<br />
21.4 What is the Value of an Asset?<br />
21.5 Non-Obvious Vulnerabilities<br />
21.6 Categorizing Risks<br />
21.7 Types of Losses<br />
21.8 Approaches to Analyzing Risk<br />
21.9 Who Uses What Analysis Type?<br />
21.10 Qualitative Analysis Method<br />
21.11 Quantitative Analysis<br />
21.12 Can a Purely Quantitative Method be<br />
accomplished?<br />
21.13 Comparing Cost and Benefit<br />
21.14 Cost of a Countermeasure<br />
21.15 CyberCrime<br />
21.16 Not Just Fun and Games<br />
21.17 Example of Computer Crimes<br />
21.18 Perpetrators<br />
21.19 Attack Types<br />
21.20 Telephone Fraud<br />
21.21 Identification Protection and Prosecution<br />
21.22 Privacy of Sensitive Data<br />
21.23 Privacy Issues – US Laws and Examples<br />
21.24 EU Principles on Privacy<br />
21.25 Transborder Information Flow<br />
21.26 Employee Privacy Issues<br />
21.27 U.S. Law<br />
21.28 Common Laws – Civil<br />
21.29 Common Laws – Criminal<br />
21.30 Common Laws – Administrative<br />
21.31 U.S. Federal Laws<br />
21.32 Intellectual Property Laws<br />
21.33 Trademark and Patent<br />
21.34 Software Licensing<br />
21.35 Digital Millennium Copyright Act<br />
21.36 Investigating<br />
21.37 Computer Crime and its Barriers<br />
21.38 Countries Working Together<br />
21.39 Security Principles for International Use<br />
21.40 Has a Crime Been Committed?<br />
21.41 Bringing in Law Enforcement<br />
21.42 Citizen vs Law Enforcement Investigation<br />
21.43 Investigation of Any Crime<br />
21.44 Role of Evidence in a Trial<br />
21.45 Evidence Requirements<br />
21.46 Chain of Custody<br />
21.47 How Evidence is Processed<br />
21.48 Evidence Types<br />
21.49 Hearsay Rule Exception<br />
21.50 Responding to an Incident<br />
21.51 Preparing for a Crime before it happens!<br />
21.52 Incident Handling<br />
21.53 Evidence Collection Topics<br />
21.54 Specialized Skill<br />
21.55 Trying to Trap the Bad Guy<br />
21.56 Companies Can be Found Liable!<br />
21.57 Review<br />
10