Transcription
EC-Council - Certified Security AnalystCourse Introduction3mStudent Introduction9mStudent IntroductionCertificationECSA TrackLPT TrackWhat next after ECSA Training?Demo - Overview of Available ResourcesLab SessionsStudent Introduction ReviewModule 01 - The Need for Security AnalysisThe Need for Security AnalysisWhat are we Concerned About?So What are you Trying to Protect?Why are Intrusions so Often Successful?What are the Greatest Challenges?Environmental ComplexityNew TechnologiesNew Threats and ExploitsDemo - Keep Updated with ResearchLimited FocusLimited ExpertiseTool: Data Loss Cost CalculatorDemo - Tech//404 Data Loss CalculatorIn Order to Ensure yAvailabilityNon-RepudiationWe Must be DiligentThreat AgentsAssessment QuestionsHow Much Security is Enough?RiskSimplifying RiskRisk AnalysisRisk Assessment Answers Seven Questions:Steps of Risk AssessmentDemo - Risk AssessmentDemo - CIO-view Self-assessmentRisk Assessment ValuesDemo - Quantitative Threat AnalysisInformation Security AwarenessSecurity PoliciesSecurity Policy BasicsDemo - Policy TemplatesTypes of PoliciesPromiscuous Policy2h 41m
Permissive PolicyPrudent PolicyParanoid PolicyAcceptable-Use PolicyUser-Account PolicyRemote-Access PolicyInformation-Protection PolicyFirewall-Management PolicySpecial-Access PolicyNetwork-Connection PolicyBusiness-Partner PolicyData Classification PoliciesIntrusion Detection PoliciesVirus Prevention PoliciesLaptop Security PolicyPersonal Security PolicyCryptography PolicyFair and Accurate Credit Transactions Act of 2003 (FACTA)Other Important PoliciesPolicy StatementsBasic Document Set of Information Security PoliciesISO 17799Domains of ISO 17799No Simple SolutionsU.S. LegislationCalifornia SB 1386Sarbanes-Oxley 2002Gramm-Leach-Bliley Act (GLBA)Health Insurance Portability and Accountability Act (HIPAA)USA Patriot Act 2001U.K. LegislationHow Does This Law Affect a Security Officer?The Data Protection Act 1998The Human Rights Act 1998Interception of CommunicationsThe Freedom of Information Act 2000The Audit Investigation and Community Enterprise Act 2005Demo - Vmware OverviewDemo - Opening an Existing XP VMware SystemDemo - Opening VM ApplianceDemo - Installing a New VM SystemDemo - Booting XP from Backtrack ISOModule 01 ReviewModule 02 - Advanced GooglingAdvanced GooglingSite Operatorintitle:index.ofDemo - Default Pages: tsweberror warningDemo - Google as a Proxylogin logonusername userid employee.ID “your username is”password passcode “your password is”admin administrator–ext:html –ext:htm –ext:shtml –ext:asp –ext:php39m
inurl:temp inurl:tmp inurl:backup inurl:bakGoogle Advanced Search FormCategorization of the Operatorsallinanchor:allintext:Demo - Google Locating Live CamsLocating Public Exploit SitesLocating Exploits via Common Code StringsLocating Vulnerable TargetsLocating Targets via Demonstration PagesDemo - Google Hack HoneyPotDemo - Goolag and WiktoDemo - Wikto Results and Google GuideModule 02 ReviewModule 03 - TCP/IP Packet AnalysisTCP/IP Packet AnalysisTCP/IP ModelDemo - TCP/IP Movie RecommendationApplication LayerTransport LayerInternet LayerNetwork Access LayerComparing OSI and TCP/IPDemo - Engage Packet BuilderTCPTCP HeaderIP Header: Protocol FieldUDPTCP and UDP Port NumbersPort NumbersDemo - Warriors of the NetIANASource and Destination Port NumbersDemo - Techtionary.com Port NumbersWhat Makes Each Connection Unique?Structure of a PacketTCP OperationThree-Way HandshakeDemo - Techtionary.com TCP HandshakeFlow ControlWindowingWindowing and Window SizesSimple WindowingAcknowledgementSliding WindowsSequencing NumbersSynchronizationPositive Acknowledgment and Retransmission (PAR)What is Internet Protocol v6 (IPv6)?Why IPv6?IPv4/IPv6 Transition MechanismsIPv6 Security IssuesSecurity Flaws in IPv6IPv6 Infrastructure SecurityIpsec1h 21m
Firewalls and Packet FilteringDenial-of-Service (DoS) AttacksUDP OperationInternet Control Message Protocol (ICMP)ICMP Message DeliveryFormat of an ICMP MessageUnreachable NetworksTime Exceeded MessageIP Parameter ProblemICMP Control MessagesICMP RedirectsClock Synchronization and Transit Time EstimationInformation Requests and Reply Message FormatsAddress MasksRouter Solicitation and AdvertisementModule 03 ReviewModule 04 - Advanced Sniffing TechniquesAdvanced Sniffing TechniquesDemo - Basic SniffersDemo - Packet Capturing with Windows PacketyzerWhat is Wireshark?Wireshark: FiltersWireshark: TsharkWireshark: TcpdumpDemo - TcpdumpProtocol DissectionSteps to Solve GNU/ Linux Server Network Connectivity IssuesUsing Wireshark for Network TroubleshootingUsing Wireshark for System AdministrationARP ProblemsDemo - Sniffers and ARPICMP Echo Request/Reply Header LayoutTCP FlagsScenario 1: SYN no SYN ACKScenario 2: SYN Immediate Response RSTScenario 3: SYN SYN ACK ACKTapping into the NetworkUsing Wireshark for Security AdministrationSniffer DetectionWireless Sniffing with WiresharkFrequencyUsing Channel HoppingInterference and CollisionsRecommendations for Sniffing Wireless TrafficAnalyzing Wireless TrafficIEEE 802.11 HeaderFiltersUnencrypted Data TrafficIdentifying Hidden SSIDsIdentifying EAP Authentication FailuresIdentifying WEPIdentifying IPsec/VPNDecrypting TrafficScanningTCP Connect Scan50m
SYN ScanXMAS ScanNull ScanRemote Access TrojansWireshark DNP3 Dissector Infinite Loop VulnerabilityTime StampsTime ZonesPacket ReassemblingChecksumsModule 04 ReviewModule 05 - Vulnerability Analysis with Nessus50mVulnerability Analysis with NessusNessusFeatures of NessusNessus Assessment ProcessDemo - Nessus on WindowsDemo - Nessus on Windows Cont'd and GFI LANguard ComparisonFalse PositivesExamples of False PositivesIdentifying False PositivesSuspicious SignsDemo - Backtrack 4 Nessus InstallModule 05 ReviewModule 06 - Advanced Wireless TestingAdvanced Wireless TestingWireless ConceptsDemo - Techtionary Website802.11 TypesCore Issues with 802.11What’s the Difference?Other Types of WirelessSpread Spectrum BackgroundChannelsAccess PointService Set IDDemo - Linksys-AP Config SSIDDefault SSIDsChipsetsWi-Fi EquipmentExpedient AntennasVulnerabilities to 802.1x and RADIUSSecurity - WEPWired Equivalent Privacy (WEP)Exclusive OREncryption ProcessChipping SequenceWEP IssuesWEP - Authentication PhaseWEP - Shared Key AuthenticationWEP - Association PhaseWEP FlawsWEP Attack2h 42m
Demo - Authentication SettingsDemo - WEP Set-Up SecurityDemo - Cain and Abel WEP CrackingWPA Interim 802.11 SecurityWPADemo - Cracking WPA with Cain and AbelWPA2 (Wi-Fi Protected Access 2)802.1X Authentication and EAPEAP TypesCisco LEAPTKIP (Temporal Key Integrity Protocol)Wireless Networks TestingWireless Communications TestingReport RecommendationsWireless Attack CountermeasuresDemo - MAC-SSID SecurityWireless Penetration Testing with WindowsWar DrivingThe Jargon – WarChalkingWireless: Tools of the TradeDemo - Kismet in WindowsDemo - Tool: Kismet in LinuxDemo - Vistumbler War Driving and GPS Map PlottingHow Does NetStumbler Work?“Active” vs. “Passive” WLAN DetectionDisabling the BeaconRunning NetStumblerDemo - Tool: NetstumblerAirCrack-ngAirCrack-ng: How Does it Work?AirCrack-ng: FMS and Korek AttacksAirCrack-ng: NotesDemo - Hacking WEP EncryptionDetermining Network Topology: Network ViewWarDriving and Wireless Penetration Testing with OS XUsing a GPSDeauthenticating ClientsStumbVerterMITM Attack DesignMITM Attack VariablesHardware for the Attack: Antennas, Amps, and WiFi CardsChoosing the Right AntennaAmplifying the Wireless SignalIP Forwarding and NAT using IPtablesDemo - Jasager fon RouterModule 06 ReviewModule 07 - Designing a DMZDesigning a DMZIntroductionDMZ ConceptsDMZ Design Fundamentals27m
Advanced Design StrategiesTypes of Firewall and DMZ Architectures"Inside vs. Outside" Architecture"Three-Homed Firewall" DMZ ArchitectureWeak Screened Subnet ArchitectureStrong Screened Subnet ArchitectureDesigning a DMZ using IPtablesDesigning Windows DMZPrecautions for DMZ SetupDemo - Designing DMZsAdvanced Implementation of a Solaris DMZ ServerSolaris DMZ Servers in a Conceptual Highly Available ConfigurationHardening Checklists for DMZ Servers and SolarisPlacement of Wireless EquipmentAccess to DMZ and Authentication ConsiderationsWireless DMZ ComponentsWLAN DMZ Security Best PracticesEthernet Interface Requirements and ConfigurationDMZ Router Security Best PracticeSix Ways to Stop Data LeaksModule 07 ReviewModule 08 - Snort AnalysisSnort AnalysisSnort OverviewModes of OperationFeatures of SnortConfiguring SnortSnort: VariablesSnort: Pre-processorsSnort: Output Plug-insSnort: RulesHow Snort OperatesInitializing SnortDemo - Snort IDS Testing Scanning ToolsSignal HandlersParsing the Configuration FileDecodingPossible DecodersPre-processingDetectionContent MatchingThe Stream4 Pre-processorInline FunctionalityWriting Snort RulesSnort Rule HeaderSnort Rule Header: ActionsSnort Rule Header: Other FieldsIP Address Negation RuleIP Address FiltersThe direction OperatorRule OptionsActivate/Dynamic RulesMetadata Rule Options: msgThe reference KeywordThe sid/rev Keyword48m
The classtype KeywordPayload Detection Rule Options: contentModifier KeywordsThe uricontent KeywordThe fragoffset KeywordWriting Good Snort RulesTool for Writing Snort Rules: IDS Policy ManagerHoneynet Security Console ToolKey FeaturesModule 08 ReviewModule 09 - Log Analysis30mLog AnalysisLogsEvents that Need to be LoggedWhat to Look Out For in LogsAutomated Log Analysis ApproachesLog ShippingSyslogSetting up a SyslogSystem Error LogsKiwi Syslog DaemonConfiguring Kiwi Syslog to Log to a MS SQL DatabaseConfiguring a Cisco Router for SyslogConfiguring a DLink Router for SyslogGathering Log Files from an IIS Web ServerApache Web Server LogAWStats Log AnalyzerCisco Router LogsAnalyzing Netgear Wireless Router LogsWireless Traffic Analysis Using WiresharkConfiguring Firewall Logs in Local Windows SystemViewing Local Windows Firewall LogViewing Windows Event LogCollecting & Monitoring UNIX SyslogiptablesLog Prefixing with iptablesFirewall Log Analysis with grepSQL Database LogUsing SQL Server to Analyze Web LogsAnalyzing Oracle Logs: The Oracle Metric Log FileApexSQL LogAnalyzing Solaris System LogsDemo - SplunkModule 09 ReviewModule 10 - Advanced Exploits and ToolsAdvanced Exploits and ToolsCommon VulnerabilitiesBuffer Overflows RevisitedSmashing the Stack for Fun and ProfitSmashing the Heap for Fun and Profit1h 39m
Format Strings for Chaos and MayhemThe Anatomy of an ExploitDemo - Fuzzing for WeaknessesVulnerable CodeShellcodeShellcode ExamplesShellcode (cont’d)Demo - Stack FunctionDelivery CodeDelivery Code: ExampleDemo - Compiling Exploits from Source CodeLinux Exploits versus WindowsWindows versus LinuxTools of the Trade: DebuggersTools of the Trade: GDBTools of the Trade: MetasploitDemo - Metasploit IntroDemo - Metasploit 101Demo - Metasploit InteractiveTools of the Trade: CanvasLabTools of the Trade: CORE ImpactWays to Use CORE ImpactMicrosoft Baseline Security Analyzer (MBSA)Network Security Analysis Tool (NSAT)Sunbelt Network Security Inspector (SNSI)Demo - Saint Exploit of Windows XPDemo - dcom101 Exploit Autoshovel of ShellDemo - dcom Exploit Netcat Shovel of Shell and Extracting HashesDemo - Backtrack 4 Milw0rm Metasploit UpdatesModule 10 ReviewModule 11 - Penetration Testing MethodologiesPenetration Testing MethodologiesDemo - dradis Effective Information SharingWhat is Penetration Testing?Why Penetration Testing?What Should be Tested?What Makes a Good Penetration Test?Common Penetration Testing TechniquesPenetration Testing ProcessScope of Penetration TestingBlue Teaming/Red TeamingTypes of Penetration TestingBlack-box Penetration TestingWhite-box Penetration TestingAnnounced Testing/ Unannounced TestingGrey-box Penetration TestingStrategies of Penetration TestingExternal Penetration TestingInternal Security AssessmentApplication Security AssessmentTypes of Application Security AssessmentNetwork Security AssessmentWireless/Remote Access AssessmentTelephony Security Assessment1h 54m
Social EngineeringPenetration Testing ConsultantsRequired Skills SetsHiring a Penetration TesterResponsibilities of a Penetration TesterProfile of a Good Penetration TesterWhy Should the Company Hire You?Companies’ ConcernsMethodologyDemo - NIST MethodologyDemo - PenTest Templates and MethodologiesPenetration Testing RoadmapGuidelines for Security CheckingOperational Strategies for Security TestingSecurity Category of the Information SystemIdentifying Benefits of Each Test TypePrioritizing the Systems for TestingROI on Penetration TestingDetermining Cost of Each Test TypeNeed for a MethodologyPenetration Test vs. Vulnerability TestReliance on Checklists and TemplatesPhases of Penetration TestingPre-Attack PhaseBest PracticesResults that can be ExpectedPassive ReconnaissanceActive ReconnaissanceAttack PhaseActivity: Perimeter TestingActivity: Web Application Testing - IActivity: Web Application Testing – IIActivity: Wireless TestingActivity: Acquiring TargetActivity: Escalating PrivilegesActivity: Execute, Implant, and RetractPost-Attack Phase and ActivitiesModule 11 ReviewModule 12 - Customers and Legal AgreementsCustomers and Legal AgreementsWhy do Organizations Need Pen-Testing?Initial Stages in Penetration TestingUnderstand Customer RequirementsCreate a Checklist of Testing RequirementsPenetration Testing ‘Rules of Behavior’Demo - ISSAF Customers and LegalPenetration Testing RisksPenetration Testing by Third PartiesPrecautions While Outsourcing Penetration TestingLegal ConsequencesDemo - Computer Crimes and ImplicationsGet Out of Jail Free CardPermitted Items in Legal AgreementConfidentiality and NDA AgreementsNon-Disclosure and Secrecy Agreements (NDA)27m
The ContractLiability IssuesNegligence ClaimPlan for the WorstDrafting ContractsHow Much to Charge?Module 12 ReviewModule 13 - Rules of Engagement11mRules of EngagementRules of Engagement (ROE)Demo - OSSTMM ModelScope of ROESteps for Framing ROEClauses in ROEDemo - ScreenHunter Desktop Capture ToolModule 13 ReviewModule 14 - Penetration Testing Planning and Scheduling1h 10mPenetration Testing Planning and SchedulingTest PlanPurpose of Test PlanBuilding a Penetration Test PlanDemo - Overview OSSTMMIEEE STD. 829–1998 SECTION HEADINGSTest Plan IdentifierTest DeliverablesPenetration Testing Planning PhaseDefine the ScopeProject ScopeWhen to Retest?ResponsibilitiesSkills and Knowledge RequiredInternal EmployeesPenetration Testing TeamsTiger TeamBuilding Tiger TeamQuestions to Ask Before Hiring Consultants to the Tiger TeamMeeting With the ClientKickoff MeetingPenetration Testing Project PlanWork Breakdown Structure or Task ListPenetration Testing SchedulePenetration Testing Project Scheduling ToolsTest Plan ChecklistPenetration Testing Hardware/Software RequirementsEC-Council’s Vampire BoxBegin Penetration TestingDemo - Installing Backtrack 4 into VMWare EnvironmentModule 14 ReviewModule 15 - Pre-Penetration Testing ChecklistPre-Penetration Testing ChecklistDemo - Pentest ChecklistStep 1: Gather Information about Client Organization’s History and Background25m
Step 2: Visit the Client Organization PremisesStep 3: List the Client Organization’s Penetration Testing RequirementsStep 4: Obtain Penetration Testing Permission from the Company’s StakeholdersStep 5: Obtain Detailed Proposal of Test and Services that are Proposed to be carried outStep 6: Identify the Office Space/Location your Team would be Working in for this ProjectStep 7: Obtain Temporary Identity Cards from the Organization for the Team who is Involved in the ProcessStep 8: Identify who will be Leading the Penetration Testing Project (Chief Penetration Tester)Step 9: Request from the Client Organization the Previous Penetration Testing/Vulnerability Assessment ReportsStep 10: Prepare Rules of Engagement that Lists the Company’s Core Competencies/ Limitations/ TimescalesStep 11: Hire a Lawyer who Understands IT and can Handle your Penetration Testing Legal DocumentsStep 12: Prepare PT Legal Document and get Vetted with your LawyerStep 13: Prepare Non Disclosure Agreement (NDA) and have the Client Sign themStep 14: Obtain (if possible) Liability Insurance from a Local Insurance FirmStep 15: Identify your Core Competencies/LimitationsStep 16: Allocate a Budget for the Penetration Testing Project ( X amount of )Step 17: Prepare a Tiger TeamStep 18: List the Security Tools that you will be using for the Penetration Testing ProjectStep 19: List the Hardware and Software Requirements for the Penetration Testing ProjectStep 20: Identify the Clients Security Compliance RequirementsStep 21: List the Servers, Workstations, Desktops and Network Devices that need to be TestedStep 22: Identify the Type of Testing that would be carried out - Black Box or White Box TestingStep 23: Identify the Type of Testing that would be carried out - Announced/ UnannouncedStep 24: Identify Local Equipment Required for Pen TestStep 25: Identify Local Manpower Required for Pen TestStep 26: List the Contact Details of Personnel from Client Organization who will be in Charge of the Pen TestStep 27: Obtain the Contact Details of the Key Personnel for Approaching in case of an EmergencyStep 29: List the Tests that will not be carried out at the Client NetworkStep 30: Identify the Purpose of the Test you are carrying out at the Client OrganizationStep 31: Identify the Network Topology in which the Test would be carried outStep 32: Obtain Special Permission if Required from Local Law Enforcement AgencyStep 33: List known Waivers/ExemptionsStep 34: List the Contractual Constraints in the Penetration Testing AgreementStep 35: Identify the Reporting Timescales with the Client OrganizationStep 36: Identify the List of Penetration Testers Required for this ProjectStep 37: Negotiate per Day/per Hour Fee that you will be Charging for the Penetration Testing ProjectStep 38: Draft the Timeline for the Penetration Testing ProjectStep 39: Draft a Quotation for the Services that you'll be Providing to the Client OrganizationStep 40: Identify how the Final Penetration Testing Report will be Delivered to the Client OrganizationStep 41: Identify the Reports to be Delivered After Pen TestStep 42: Identify the Information Security Administrator who will be helping you in the Penetration TestingModule 15 ReviewModule 16 - Information GatheringInformation GatheringWhat is Information Gathering?Information Gathering StepsStep 1: Crawl the Website and Mirror the Pages on Your PCDemo - HTTrack Website CopierStep 2: Crawl the FTP Site and Mirror the Pages on Your PCDemo - Wget and Backtrack 4 Live CDStep 3: Look up Registered Information in the Whois DatabaseDemo - CentralOps and Domains by ProxyDemo - Backtrack and WhoisStep 4: List the Products Sold by the CompanyDemo - Firecat (Firefox Addons)Step 5: List the Contact Information, Email Addresses, and Telephone Numbers1h 30m
Step 6: List the Company’s DistributorsStep 7: List the Company’s PartnersDemo - Email SpiderStep 8: Search the Internet, Newsgroups, Bulletin Boards, Negative Websites for Information about the CompanyDemo - MaltegoStep 9: Search for Trade Association DirectoriesStep 10: Search for Link Popularity of Company WebsiteDemo - AlexaStep 11: Compare Price of Product or Service with the CompetitorStep 12: Find the Geographical LocationDemo - ShazouUse Google Map to Find Geographical LocationStep 13: Search the Internet Archive Pages about the CompanyDemo - Archive.orgStep 14: Search Similar or Parallel Domain Name ListingsDemo - ServerSniff TLDsStep 15: Search Job Posting Sites about the CompanyStep 16: Browse Social Network WebsitesDemo - Social NetworkingStep 17: Write Down Key EmployeesStep 18: Investigate Key Persons – Searching in Google, Look up their Resumes and Cross Link InformationStep 19: List Employee Company and Personal Email AddressStep 20: Search for Web Pages Posting Patterns and Revision NumbersDemo - No Tech HackingStep 21: Email the Employee Disguised as Customer Asking for QuotationStep 22: Visit the Company as Inquirer and Extract Privileged InformationStep 23: Visit the Company LocalityStep 24: Use Web Investigation Tools to Extract Sensitive Data Targeting the CompanyStep 25: Use Intelius and Conduct Background Check on Company Key PersonnelStep 26: Search on eBay for Company’s PresenceStep 27: Use the Domain Research Tool to Investigate the Company’s DomainStep 28: Use the EDGAR Database to Research Company InformationStep 34: Use GHDB and Search for the Company NameDemo - SummaryDemo - Vmware 64bit Error FixDemo - SEATDemo - Metagoofil SearchDemo - CORE Impact Email Info GatheringModule 16 ReviewModule 17 - Vulnerability AnalysisVulnerability AnalysisWhy Assess?Vulnerability ClassificationWhat is Vulnerability Assessment?Demo - Vulnerability Research ResourcesDemo - Nessus 4 Windows Install and Wikto Scan WebgoatTypes of Vulnerability AssessmentDemo - Nessus 3 Webgoat Scan BT4Demo - Nessus 4 Webgoat ScanDemo - GFI LANguardHow to Conduct a Vulnerability AssessmentHow to Obtain a High Quality Vulnerability AssessmentVulnerability Assessment PhasesPre-Assessment PhaseAssessment Phase1h 23m
Post-Assessment PhaseVulnerability Analysis StagesComparing Approaches to Vulnerability AssessmentCharacteristics of a Good Vulnerability Assessment SolutionVulnerability Assessment ConsiderationsVulnerability Assessment ReportsDemo - Nessus 3 BT Exporting NBE ReportVulnerability Report ModelTimelineTypes of Vulnerability Assessment ToolsChoosing a Vulnerability Assessment ToolVulnerability Assessment Tools Best PracticesVulnerability Assessment ToolsDemo - Retina Security ScannerOther Vulnerability ToolsReportVulnerability Assessment ReportsAutomated Scanning Server ReportsPeriodic Vulnerability Scanning ReportModule 17 ReviewModule 18 - External Penetration TestingExternal Penetration TestingPenetration Testing RoadmapExternal Intrusion Test and AnalysisHow is it Done?Client BenefitsExternal Penetration TestingSteps – Conduct External Penetration TestingDemo - CORE Impact Network Vulnerability TestDemo - Samaurai Live CD IntroStep 1: Inventory Company’s External InfrastructureStep 2: Create Topological Map of the NetworkStep 3: Identify the IP AddressStep 4: Locate the Traffic Route that Goes to the Web ServersStep 5/6: Locate TCP/UDP Traffic Path to the DestinationStep 7: Identify the Physical Location of the Target ServersStep 8: Examine the Use IPV6 at the Remote LocationStep 9: Lookup Domain Registry for IP InformationStep 10: Find IP Block Information about the TargetStep 11: Locate the ISP Servicing the ClientStep 12: List Open PortsOpen Ports on Web ServerStep 13: List Closed PortsPort Scanning ToolsStep 14: List Suspicious Ports that are Half Open/ClosedStep 15: Port Scan Every Port (65,536) on the Target’s NetworkStep 16: Use SYN Scan on the Target and See the ResponseStep 17: Use Connect Scan on the Target and See the ResponseDemo - N-stalker Results WebgoatDemo - Breaking Access Control Passwords with XhydraDemo - Viewing Website with TelnetDemo - Input-injection AttackDemo - Fast-track Overview and InstallDemo - Fast-track ExploitsDemo - Fast-track Clientside Attacks1h 10m
Demo - Fast-track Mass AttackModule 18 ReviewModule 19 - Internal Network Penetration TestingInternal Network Penetration TestingPenetration Testing RoadmapInternal TestingMethods of Internal TestingEnumerate Other MachinesStep 1: Map the Internal NetworkDemo - Spiceworks InventoryStep 2: Scan the Network for Live HostsDemo - SNMP Enumerating with BTDemo - FireScope MIB ToolStep 3: Port Scan Individual MachinesStep 4: Try to Gain Access Using Known VulnerabilitiesDemo - SMB NAT Dictionary AttacksDemo - Injecting the Abel ServiceDemo - Nslookup DNS Zone TransferStep 5: Attempt to Establish Null SessionsDemo - Enumerate BannersDemo - Null Session Multiple ToolsDemo - Null Session CountermeasuresStep 6: Enumerate UsersStep 7: Sniff the Network Using WiresharkStep 8: Sniff Pop3/FTP/Telnet PasswordsStep 9: Sniff Email Messages/VoIP TrafficSniffer ToolsDemo - ARP Poisoning with CainStep 10: Attempt Replay AttacksDemo - SSL MITMStep 11: Attempt ARP PoisoningStep 11a: Attempt Mac FloodingStep 12: Conduct a Man-in-the Middle AttackStep 13: Attempt DNS PoisoningDemo - Cain DNS SpoofStep 14: Try a Login to a Console MachineStep 15: Boot the PC Using Alternate OS and Steal the SAM FileDemo - Local Password ResetDemo - Backtrack Local XP Password AttackCopying Commands in KnoppixERD Commander 2005Reset Administrator PasswordStep 16: Attempt to Plant a Software Keylogger to Steal PasswordsKeyloggers and Spy SoftwareDemo - Hardware Keystroke LoggersStep 17: Attempt to Plant a Hardware Keylogger to Steal PasswordsStep 18: Attempt to Plant a Spyware on the Target MachineStep 19: Attempt to Plant a Trojan on the Target MachineStep 20: Attempt to Create a Backdoor Account on the Target MachineDemo - Secure Tunnels and Anonymizer TechniquesStep 21: Attempt to Bypass Anti-virus Software Installed on the Target MachineDemo - Stealth Tools v2 to Hide Viruses and MalwareStep 22: Attempt to Send Virus Using the Target MachineStep 23: Attempt to Plant Rootkits on the Target MachineDemo - Dreampakpl Rootkit2h 56m
Step 24: Hide Sensitive Data on Target MachinesDemo - Alternate Data StreamsStep 25: Hide Hacking Tools and Other Data in Target MachinesStep 26: Use Various Steganography Techniques to Hide Files on Target MachineDemo - SteganographyStep 27: Escalate User PrivilegesDemo - Privilege EscalationStep 28: Capture POP3 TrafficStep 29: Capture SMTP TrafficStep 32: Capture HTTP TrafficStep 33: Capture HTTPS Traffic (Even Though it cannot be Decoded)Step 34: Capture RDP TrafficStep 35: Capture VoIP TrafficDemo - Cain VoIP RDP InterceptionSteps 40 and 41Step 42: Attempt Session Hijacking on Telnet TrafficSteps 43 and 44Continue TestingCORE Impact - Automated ToolMetasploit - ToolCanvas – Automated ToolVulnerability Scanning ToolsDocument EverythingModule 19 ReviewModule 20 - Router and Switches Penetration TestingRouter and Switches Penetration TestingDemo - Cain and Abel Routing Protocols and ID NetworksPenetration Testing RoadmapRouter Testing IssuesNeed for Router TestingGeneral RequirementsTechnical RequirementsTry to Compromise the RouterSteps for Router Penetration TestingStep 1: Identify the Router HostnameStep 2: Port Scan the RouterStep 3: Identify the Router Operating System and its VersionSteps 4/5: Identify Protocols Running/Testing for Package Leakage at the RouterStep 6: Test for Router MisconfigurationsStep 7: Test for VTY/TTY ConnectionsThe Process to Get Access to the RouterStep 8: Test for Router Running ModesPrivilege Mode AttacksStep 9: Test for SNMP CapabilitiesSNMP “Community String”Step 10: Test for TFTP ConnectionsTFTP TestingStep 11: Test if Finger is Running on the RouterStep 12: Test for CDP Protocol Running on the RouterHow to Test CDP Protocol?Step 13: Test for NTP ProtocolStep 14: Test for Access to Router Console PortStep 15: Test for Loose and Strict Source RoutingSteps 16 and 17: Test for IP Spoofing/IP Handling BugsStep 18: Test ARP Attacks53m
Step 19: Test for Routing Protocol AssessmentStep 20: RIP TestingStep 21: Test for OSPF ProtocolStep 22: Test BGP ProtocolStep 23: Test for EIGRP ProtocolStep 24: Test Router Denial of Service AttacksStep 25: Test Router’s HTTP CapabilitiesStep 26: Test Through HSRP AttackRouter Testing ReportSteps for Testing SwitchesStep 1: Testing Address Cache SizeStep 2: Data Integrity and Error Checking TestStep 3: Testing for Back-to-Back Frame CapacityStep 4: Testing for Frame LossStep 5: Testing for LatencyStep 6: Testing for ThroughputStep 7: Test for Frame Error FilteringStep 8: Fully Meshed TestStep 9: Stateless QoS Functional TestStep 10: Spanning Tree Network Convergence Performance TestStep 11: OSPF Performance TestStep 12: Test for VLAN HoppingStep 13: Test for MAC Table FloodingStep 14: Testing for ARP AttackStep 15: Check for VTP AttackModule 20 ReviewModule 21 - Firewall Penetration TestingFirewall Penetration TestingPenetration Testing RoadmapWhat is a Firewall?What Does a Firewall Do?Packet FilteringWhat Can't a Firewall Do?How Does a Firewall Work?Firewall Logging FunctionalityFirewall PolicyPeriodic Review of Information Security PoliciesFirewall ImplementationBuild a Firewall RulesetMaintenance and Management of FirewallTypes of FirewallDemo - Introduction to VyattaPacket Filtering FirewallIP Packet Filtering FirewallCircuit Level GatewayApplication Level FirewallStateful Multilayer Inspection FirewallMultilayer Inspection FirewallSteps for Conducting Firewall Penetration TestingStep 1: Locate the FirewallStep 2: Traceroute to Identify the Network RangeStep 3: Port Scan the FirewallStep 4: Grab the BannerStep 5: Create Custom Packets and Look for Firewall ResponsesStep 6: Test Access Control Enumeration2h 12m
Step 7: Test to Identify Firewall ArchitectureStep 8: Testing Firewall PolicyStep 9: Test Firewall Using Firewalking ToolStep 10: Test for Port RedirectionFirewall IdentificationStep 11: Testing the Firewall from Both SidesStep 12: Overt Firewall Test from OutsideStep 13: Test Covert ChannelsStep 14: Covert Firewall Test from OutsideStep 15: Test HTTP TunnelingStep 16: Test Firewall Specific VulnerabilitiesDemo - VyattaDemo - CORE Impact Targeting VyattaDocument EverythingModule 21 ReviewModule 22 - IDS Penetration TestingIDS Penetration TestingPenetration Testing RoadmapWhat is an IDS?Demo - IDS Blink and Ossec.netNetwork IDSHost-based IDSDemo - Blink Personal IPS IDSApplication-based IDSMulti-Layer Intrusion Detection SystemsMulti-Layer Intrusion Detection System BenefitsWireless Intrusion Detection Systems (WIDS)IDS Testing Tool - Evasion GatewayCommon Techniques Used to Evade IDS SystemsIDS Penetration Testing StepsSteps 1/2: Test for Resource Exhaustion/ IDS by Sending ARP FloodSteps 3/4: Test the IDS by MAC Spoofing/ IP SpoofingSteps 5/6: Test by Sending a Packet to the
Kiwi Syslog Daemon Configuring Kiwi Syslog to Log to a MS SQL Database Configuring a Cisco Router for Syslog Configuring a DLink Router for Syslog Gathering Log Files from an IIS Web Server Apache Web Server Log AWStats Log Analyzer Cisco Router Logs Analyzing Netgear Wireless Router Logs Wireless Traffic Analysis Using Wireshark Configuring Firewall Logs in Local Windows System Viewing Local .
