Transcription
Certified Penetration Testing EngineerACCREDITATIONSThe Certified Penetration Testing Engineer course is accredited by the NSA CNSSI-4013: NationalInformation Assurance Training.EXAM INFORMATIONThe Certified Penetration Testing Engineer exam is takenonline through Mile2’s Assessment and Certification System(“MACS”), which is accessible on your mile2.com account. Theexam will take 2 hours and consist of 100 multiple choicequestions.COURSE DETAILSModule 0: Course OverviewModule 1: Business & Technical Logistics ofPen TestingModule 2: Linux FundamentalsModule 3: Information GatheringModule 4: Detecting Live SystemsModule 5: EnumerationModule 6: Vulnerability AssessmentsModule 7: Malware Goes UndercoverModule 8: Windows HackingModule 9: Hacking UNIX/LinuxModule 10: Advanced Exploitation TechniquesModule 11: Pen Testing Wireless NetworksModule 12: Networks, Sniffing and IDSModule 13: Injecting the DatabaseModule 14: Attacking Web TechnologiesModule 15: Project DocumentationModule 16: Securing Windows w/PowershellModule 17: Pen Testing withPowershell1
DETAILED HANDS-ON LABORATORY OUTLINELab 1 – Introduction to Pen Testing SetupSection 1 – Recording IPs and Logging into the VMsSection 2 – ResearchLab 2 – Linux FundamentalsSection 1 – Command Line Tips & TricksSection 2 - Linux Networking for BeginnersSection 3 – Using FTP during a pentestLab 3 – Using tools for reportingSection 1 – Setting up and using magictreeLab 4 – Information GatheringSection 1 – Google QueriesSection 2 – Searching PastebinSection 3 – Automated Vulnerabilities Search usingSearch DiggitySection 4 – MaltegoSection 5 – People Search Using the Spokeo OnlineToolSection 6 – Recon with FirefoxSection 7 – DocumentationLab 5 – Detecting Live Systems Scanning TechniquesSection 1 – Finding a target using Ping utilitySection 2 – Footprinting a Target Using nslookup ToolSection 3 – Scanning a Target Using nmap ToolsSection 4 – Scanning a Target Using Zenmap ToolsSection 5 – Scanning a Target Using hping3 UtilitySection 6 – Make use of the telnet utility to performbanner grabbingSection 7 – DocumentationSection 4 – Hiding Files with Stealth ToolsSection 5 – Extracting SAM Hashes for PasswordcrackingSection 6 – Creating Rainbow TablesSection 7 – Password CrackingSection 8 – MimikatzLab 10 – System Hacking – Linux/UnixHackingSection 1 – Taking Advantage of MisconfiguredServicesSection 2 – Cracking a Linux PasswordSection 3 – Setting up a BackdoorLab 11 – Advanced Vulnerability andExploitation TechniquesSection 1 – Metasploitable FundamentalsSection 2 – Metasploit port and vulnerability scanningSection 3 – Client-side attack with MetasploitSection 4 – ArmitageLab 12 – Network Sniffing/IDSSection 1 – Sniffing Passwords with WiresharkSection 2 – Performing MitM with CainSection 3 – Performing MitM with sslstripLab 13 – Attacking DatabasesSection 1 – Attacking MySQL DatabaseSection 2 – Manual SQL InjectionLab 14 – Attacking Web ApplicationsSection 1 – Attacking with XSSSection 2 – Attacking with CSRFLab 6 – EnumerationSection 1 – OS Detection with ZenmapSection 2 – Enumerating a local system with HyenaSection 3 – Enumerating services with nmapSection 4 – DNS Zone TransferSection 5 – LDAP EnumerationLab 7 – Vulnerability AssessmentsSection 1 – Vulnerability Assessment with SAINTSection 2 – Vulnerability Assessment with OpenVASLab 8 – Software Goes UndercoverSection 1 – Creating a VirusLab 9 – System Hacking – WindowsHackingSection 1 – System Monitoring and SurveillanceSection 2 – Hiding Files using NTFS StreamsSection 3 – Find Hidden ADS Files2
DETAILED COURSE OUTLINEModule 0: Course IntroductionCourseware MaterialsCourse OverviewCourse ObjectivesCPTE Exam InformationLearning AidsLabsClass PrerequisitesStudent FacilitiesModule 1: Business and Technical Logistics of Penetration TestingOverviewWhat is a Penetration Test?Benefits of a Penetration TestData Breach InsuranceCSI Computer Crime SurveyRecent Attacks & Security BreachesWhat does a Hack cost you?Internet Crime Complaint CenterThe Evolving ThreatSecurity Vulnerability Life CycleExploit TimelineZombie DefinitionWhat is a Botnet?How is a Botnet Formed?Botnet StatisticsHow are Botnet’s Growing?Types of Penetration TestingHacking MethodologyMethodology for Penetration TestingPenetration Testing MethodologiesHacker vs. Penetration TesterNot Just ToolsWebsite ReviewTool: SecurityNOW! SXSeven Management ErrorsReviewModule 2: Linux FundamentalsOverviewLinux History: Linus Minix LinuxThe GNU Operating SystemLinux IntroductionLinux GUI DesktopsLinux ShellLinux Bash ShellRecommended Linux BookPassword & Shadow File FormatsUser Account ManagementInstructor DemonstrationChanging a user account passwordConfiguring Network Interfaces with LinuxMounting Drives with LinuxTarballs and ZipsCompiling Programs in LinuxWhy Use Live Linux Boot CDsTypical Linux Operating SystemsModule 3: Information GatheringOverviewWhat Information is gathered by the Hacker?Organizing Collected InformationLeo meta-text editorFree Mind: Mind mappingIHMC CmapToolsMethods of Obtaining InformationPhysical AccessSocial AccessSocial Engineering TechniquesSocial NetworksInstant Messengers and ChatsDigital AccessPassive vs. Active ReconnaissanceFootprinting definedMaltegoMaltego GUIFireCATFootprinting toolsGoogle HackingGoogle and Query OperatorsSiteDiggerJob Postings Blogs & ForumsGoogle Groups / USENET3
Internet Archive: The WayBack MachineDomain Name RegistrationWHOISWHOIS OutputDNS DatabasesUsing NslookupDig for Unix / LinuxTraceroute OperationTraceroute (cont.)3D TracerouteOpus online traceroutePeople Search EnginesIntelius info and Background Check ToolEDGAR For USA Company InfoCompany House For British Company InfoClient Email ReputationWeb Server Info Tool: NetcraftFootprinting CountermeasuresDOMAINSBYPROXY.COMReviewModule 4: Detecting Live SystemOverviewIntroduction to Port ScanningPort Scan TipsExpected ResultsPopular Port Scanning ToolsStealth Online PingNMAP: Is the Host onlineICMP Disabled?NMAP TCP Connect ScanTCP Connect Port ScanTool Practice : TCP half-open & Ping ScanHalf-open ScanFirewalled PortsNMAP Service Version DetectionAdditional NMAP ScansSaving NMAP resultsNMAP UDP ScansUDP Port ScanAdvanced TechniqueTool: SuperscanTool: Look@LANTool: Hping2/3Tool: Hping2/3More Hping2/3Tool: Auto ScanOS Fingerprinting: Xprobe2Xprobe2 OptionsXprobe2 –v –T21-500 192.168.XXX.XXXTool: P0fTool Practice: AmapTool: Fragrouter: Fragmenting Probe PacketsCountermeasures: ScanningReviewModule 5: EnumerationEnumeration OverviewWeb Server BannersPractice: Banner Grabbing with TelnetSuperScan 4 Tool: Banner GrabbingSc HTTPrintSMTP Server BannerDNS EnumerationZone Transfers from Windows 2000 DNSBacktrack DNS EnumerationCountermeasure: DNS Zone TransfersSNMP InsecuritySNMP Enumeration ToolsSNMP Enumeration CountermeasuresActive Directory EnumerationLDAPMinerAD Enumeration countermeasuresNull sessionsSyntax for a Null SessionViewing SharesTool: DumpSecTool: Enumeration with Cain and AbelNAT Dictionary Attack ToolTHC-HydraInjecting Abel ServiceNull Session CountermeasuresReview4
Module 6: Vulnerability AssessmentsOverviewVulnerabilities in Network ServicesVulnerabilities in NetworksVulnerability Assessment DefVulnerability Assessment IntroTesting OverviewStaying Abreast: Security AlertsVulnerability Research SitesVulnerability ScannersNessusNessus ReportSAINT – Sample ReportTool: RetinaQualys Guardhttp://www.qualys.com/products/overview/Tool: LANguardMicrosoft Baseline AnalyzerMBSA Scan ReportDealing with Assessment ResultsPatch ManagementOther Patch Management OptionsModule 7: Malware Goes UndercoverOverviewDistributing MalwareMalware CapabilitiesCountermeasure: Monitoring Autostart MethodsTool: NetcatNetcat SwitchesNetcat as a ListenerExecutable WrappersBenign EXE’s Historically Wrapped with TrojansTool: RestoratorTool: Exe IconThe Infectious CD-Rom TechniqueTrojan: Backdoor.Zombam.BTrojan: JPEG GDI All in One Remote ExploitAdvanced Trojans: Avoiding DetectionBPMTKMalware CountermeasuresGargoyle InvestigatorSpy Sweeper EnterpriseCM Tool: Port Monitoring SoftwareCM Tools: File Protection SoftwareCM Tool: Windows File ProtectionCM Tool: Windows SoftwareRestriction PoliciesCM Tool: Hardware Malware DetectorsCountermeasure: User EducationModule 8: Windows HackingOverviewPassword GuessingLM/NTLM HashesLM Hash EncryptionNT Hash GenerationSyskey EncryptionCracking TechniquesPrecomputation DetailCreating Rainbow TablesFree Rainbow TablesNTPASSWD:Hash Insertion AttackPassword SniffingWindows Authentication ProtocolsHacking Tool: Kerbsniff & KerbCrackCountermeasure: Monitoring LogsHard Disk SecurityPassword CrackingBreaking HD EncryptionTokens & Smart CardsUSB TokensCovering Tracks OverviewDisabling AuditingClearing and Event logHiding Files with NTFS Alternate Data StreamNTFS Streams countermeasuresWhat is Steganography?Steganography Tools5
Shedding Files Left BehindLeaving No Local TraceTor: Anonymous Internet AccessHow Tor WorksTOR OpenVPN Janus VMEncrypted Tunnel Notes:Hacking Tool: RootKitWindows RootKit CountermeasuresModule 9: Hacking UNIX/LinuxOverviewIntroductionFile System StructureKernelProcessesStarting and Stopping ProcessesInteracting with ProcessesCommand AssistanceInteracting with ProcessesAccounts and GroupsPassword & Shadow File FormatsAccounts and GroupsLinux and UNIX PermissionsSet UID ProgramsTrust RelationshipsLogs and AuditingCommon Network ServicesRemote Access AttacksBrute-Force AttacksBrute-Force CountermeasuresX Window SystemX Insecurities CountermeasuresNetwork File System (NFS)NFS CountermeasuresPasswords and EncryptionPassword Cracking ToolsSaltingSymbolic LinkSymlink CountermeasureCore File ManipulationShared LibrariesKernel FlawsFile and Directory PermissionsSUID Files CountermeasureFile and Directory PermissionsWorld-Writable Files CountermeasureClearing the Log FilesRootkitsRootkit CountermeasuresReviewModule 10: Advanced Exploitation TechniquesOverviewHow Do Exploits Work?Format StringRace ConditionsMemory OrganizationBuffer OverFlowsBuffer Overflow DefinitionOverflow IllustrationHow Buffers and Stacks AreSupposed to WorkStack FunctionHow a Buffer Overflow WorksBuffer OverflowsHeap OverflowsHeap SprayingPreventionSecurity Code ReviewsStages of Exploit DevelopmentShellcode DevelopmentThe Metasploit ProjectThe Metasploit FrameworkMeterpreterFuzzersSaintExploit at a GlanceSaintExploit InterfaceCore Impact OverviewReviewModule 11: Pen Testing Wireless NetworksOverviewStandards ComparisonSSID (Service Set Identity)MAC FilteringWired Equivalent PrivacyWeak IV PacketsWEP WeaknessesXOR – Encryption Basics6
How WPA improves on WEPTKIPThe WPA MIC Vulnerability802.11i - WPA2WPA and WPA2 Mode TypesWPA-PSK EncryptionLEAPLEAP WeaknessesNetStumblerTool: KismetTool: Aircrack-ng SuiteTool: Airodump-ngTool: AireplayDOS: Deauth/disassociate attackTool: Aircrack-ngAttacking WEPAttacking WPAcoWPAttyExploiting Cisco LEAPasleapWiFiZooWesside-ngTypical Wired/Wireless Network802.1X: EAP TypesEAP Advantages/DisadvantagesEAP/TLS DeploymentNew Age ProtectionAruba – Wireless Intrusion Detection andPreventionRAPIDS Rogue AP Detection ModuleReviewModule 12: Networks, Sniffing, IDSOverviewExample Packet SniffersTool: Pcap & WinPcapTool: WiresharkTCP Stream Re-assemblingTool: Packetyzertcpdump & windumpTool: OmniPeekSniffer Detection Using Cain & AbelActive Sniffing MethodsSwitch Table FloodingARP Cache PoisoningARP Normal OperationARP Cache Poisoning ToolCountermeasuresTool: Cain and AbelEttercapLinux Tool Set: Dsniff SuiteDsniff OperationMailSnarf, MsgSnarf, FileSnarfWhat is DNS spoofing?Tools: DNS SpoofingSession HijackingBreaking SSL TrafficTool: Breaking SSL TrafficTool: Cain and AbelVoice over IP (VoIP)Intercepting VoIPIntercepting RDPCracking RDP EncryptionRouting Protocols AnalysisCountermeasures for SniffingCountermeasures for SniffingEvading The Firewall and IDSEvasive TechniquesFirewall – Normal OperationEvasive Technique -ExampleEvading With Encrypted TunnelsNewer Firewall Capabilities‘New Age’ ProtectionNetworking Device – Bastion HostSpyware Prevention System (SPS)Intrusion ‘SecureHost’ OverviewIntrusion Prevention OverviewReviewModule 13: Injecting the DatabaseOverviewVulnerabilities & Common AttacksSQL InjectionImpacts of SQL InjectionWhy SQL “Injection”?SQL Injection: EnumerationSQL Extended Stored ProceduresDirect AttacksSQL Connection PropertiesAttacking Database ServersObtaining Sensitive InformationHacking Tool: SQLScan7
Hacking Tool: osql.exeHacking Tool: Query AnalyzersHacking Tool: SQLExecwww.petefinnegan.comHacking Tool: MetasploitFinding & Fixing SQL InjectionModule 14: Attacking Web TechnologiesOverviewWeb Server Market ShareCommon Web Application ThreatsProgression of a Professional HackerAnatomy of a Web Application AttackWeb Applications ComponentsWeb Application Penetration MethodologiesURL Mappings to Web ApplicationsQuery StringChanging URL Login ParametersCross-Site Scripting (XSS)Injection FlawsUnvalidated InputUnvalidated Input IllustratedImpacts of Unvalidated InputFinding & Fixing Un-validated InputAttacks against IISUnicodeIIS Directory TraversalIIS LogsOther Unicode ExploitationsN-Stalker Scanner 2009NTOSpiderHTTrack Website CopierWikto Web Assessment ToolSiteDigger v3.0Paros ProxyBurp ProxyBrutusDictionary MakerCookiesAcunetix Web ScannerSamurai Web Testing FrameworkModule 15: Project DocumentationOverviewAdditional ItemsThe ReportReport Criteria:Supporting DocumentationAnalyzing RiskReport Results MatrixFindings MatrixDelivering the ReportStating FactSummaryRecommendationsSummary ObservationsDetailed FindingsStrategic and Tactical DirectivesStatement of Responsibility / AppendicesRecommendationsExecutive SummaryTechnical ReportReport Table of ContentsSummary of Security Weaknesses IdentifiedScope of Testing8
DETAILED HANDS-ON LABORATORY OUTLINE Lab 1 - Introduction to Pen Testing Setup Section 1 - Recording IPs and Logging into the VMs . Types of Penetration Testing Hacking Methodology Methodology for Penetration Testing Penetration Testing Methodologies Hacker vs. Penetration Tester Not Just Tools Website Review