CPTP Modules
Content
Certified Network Security Administrator Training
Page 1 of 12
Certified Penetration Testing Professional CPTP
Instructor-Led Course 5 Days
Modules Updated July 05 2004
For detailed course overview Click Here
CPTP Modules
Module 1: Hacking Techniques I Penetration testing is a process of testing the weakness of a secured or non-secured system or network. A team of spe techniques and exploit the targeted system or network to test levels of security to simulate the results of a real attack. P helps an organization determine the level of security of their system or network and identify the weak elements that nee also aids in evaluating an organization's detection, response capabilities and determines whether proper controls are in • Penetration Testing • Methodology for Penetration Testing • Network Surveying • Port Scanning • System Fingerprinting • Services Probing • Automated Vulnerability Scanning • Exploit Research • Manual Vulnerability Testing and Verification • Application Testing • Firewall & Access Control List Testing • Intrusion Detection System (IDS) Testing • Document Grinding - Electronic Dumpster Diving • Password Cracking • Denial of Service Testing • IDS & Server Logs Review • Understanding Network Survey • Understanding Port Scanning • Understanding System finger Printing • Understanding Service Probing • IP Address location tracing • Information Gathering • Passive Information Gathering • Whois Search • EDGAR Database • Company Homepage • Search Engines • Active Information Gathering • Ping • TTL Values • Traceroute • NSLookup • Finger • DIG • Banner Grabbing Techniques • Information gathering using various tools • Sam Spade • VisualRoute • Hping2 • Smart Whois • eMailTrackPro • Grabbb • NeoTrace • Netcat • Discovering organization related information, related domains, sever OS and web server version. • Information gathering using search engines • Port Scanning • Port Scanning Techniques • TCP connect () scan • TCP SYN scan • IP protocol scan • TCP FIN scan • NULL scan • Xmas scan
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 2 of 12
• ACK scan • FTP Bounce attack • Performing a Port Scan • Expected Results • Enumerating Ports • Port Number • Port Scanning Tools • Angry IP Scanner • Super Scan • Nmap • XProbe - Active OS Fingerprinting Tool • NetScan • ScanPort • WS_Ping ProPack • IPEye • HTTRACK Web Copier • Tasks for Port Scanning • Port Scanning Techniques • Banner Grabbing Techniques • Email Tracing • Active OS Finger Printing • Port Scanning WS_Ping Propack Module 2: Hacking Techniques II Vulnerability scanning is a manual or automated process of proactively identifying weaknesses in the devices which are network. All networks expose a huge amount of information to potential attackers if they are not properly configured. Attackers look for targets of opportunity to break into a network, such as weak passwords, insecure software installation known security issues, backdoor administration programs, unsecured DMZ systems and firewalls, unsecured modems of the popular wireless LAN. Further, attackers are increasingly employing inverse scanning, blind scans and bounce sc source and intentions. They are also targeting firewalls and attempting to understand and manipulate rule sets to penet network. • Vulnerability Scanning • Automated vulnerability Scanning tools • Open Source vulnerability scanners • Commercial vulnerability Scanners • MBSA Command-Line Options • MBSA Scanning Options • Enumeration • NetBIOS Enumeration • Null Session • Net Commands • NBTSTAT Command • SNMP Enumeration • Enumeration Tools • Enum • NBTScan: NetBIOS Name Network Scanner • GetAcct • NetBIOS Auditing Tool • Smbbf Auditing Tool • DUMPSEC • DumpEvt • DumpReg • NetUsers • User2SID and SID2User • Userinfo • RPCdump • Ifids • Walksam • Solar wind • SNScan • Onesixtyone 0.3.2 SNMP Scanner • Advanced Vulnerabilities and Exploitation Techniques • Linux Ptrace vulnerability & exploitation • Apache-Openssl Buffer Overflow vulnerability (CAN-2002-0656) • SCOPOP Remote root Buffer overflow vulnerability • Solaris /bin/login buffer Overflow vulnerab- ility • eMule DecodeBase16 Buffer Overflow • Automated Exploitation Tools
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 3 of 12
• Core Impact • CANVAS • Buffer Overflows • Denial of Service and Distributed Denial of service attacks • Denial of Service Attacks • Distributed Denial-of-Service Attack Module 3: Attacking Systems – Windows 2000/2003 This module examines vulnerabilities in Windows 2000/2003 and the methods used to exploit the same. • Overview of Windows System & Architecture • Windows Architecture Overview • Windows Terminology • Objects in NT • Server vs Workstation • Common Vulnerabilities & Attacks on Windows Systems • Local Based Vulnerabilities • Network Based Vulnerabilities • Exploiting Local Vulnerabilities & Privilege Escalation • Introduction • Exploit • Exploiting the password disclosure vulnerability in Microsoft’s LSASS (LSADUMP2) • Tasks for Module 3 Exploiting Local Vulnerabilities & Privilege Escalation • Microsoft Windows lsass.exe local exploit (Exploiting local vulnerabilities & privilege escalation) • LSADUMP2 (Exploiting local vulnerabilities & privilege escalation) • Attacking Microsoft’s NetBios • The NetBios null session vulnerability • Exploiting Microsoft’s Network Share Provider SMB request buffer overflow (SMBdie DoS) • Brute force attacking NetBios passwords • Attacking Microsoft’s NetBios • SMBdie (Attacking Microsoft’s) • Attacking Microsoft’s Network Services • Exploiting Windows Local Security Authority Service Remote Buffer Overflow • Determine the version of the target operating system • Windows RPC DCOM buffer overflow exploit • Exploiting heap overflow in Microsoft messenger service • Tasks for Attacking Microsoft’s Network Services • Remote LSASS.EXE Exploit Module 4: Attacking Systems – Linux Students are introduced to the core concepts of the Linux OS. Also covered are the intricacies of Linux Vulnerabilities; u cracker will enter the system and also how to stop a cracker from doing so. Additionally, the module deals with ways to detecting and patching Linux Vulnerabilities. • Linux Boot Camp • Introduction • Linux History • Linux Concepts • Introduction to the Linux File System • Types of Files • The File System in Reality • The Kernel • The Shell • Common Configuration Files in Linux • File Permissions and Access • What is chroot? • The Single-user Mode of Linux • Source Code of Linux • Linux Vulnerabilities • ‘Rooting’ a Linux Machine • Reasons for Capturing Machines • Gaining Access to a Linux Machine • Physical Access Based Attacks • System Based Attacks • Kernel Based Attacks • Important Tool: Kernel root-kits • What is a root-kit? • Working Methodology of a root-kit • Detecting and Stopping root-kits
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 4 of 12
• Linux Server Vulnerabilities • Apache Vulnerabilities • Multiple Vulnerabilities in Apache 2.0 – (CAN 2004-0174) • Buffer Overflow in mod-alias from Configuration File (CAN 2003-0542) • Flaw in Chunked Encoding (CVE 2002-0392) • Apache 2.0 mod_ssl Denial of Service • Potential Vulnerabilities in Apache pre 1.3.27 • Batch File Processing Vulnerability (CVE- 2002-0061) • Illegal Operation Handling Flaw (CVE-2001-1342) • Securing Apache • Securing Sendmail • Linux Tools of Trade • CORE IMPACT • Description • Usage • Example of Core Impact • Trace Route / Xtrace Route • Description • Usage • Example of traceroute • Nmap • Description • Usage • Example of nmap • Ethereal • Description • Usage • Example of Etheral • SuperScan 3.0 • Description • Usage • Example of SuperScan • Hardening Linux • Understanding System Security • Threats to Network Security • Insecure Architectures • Broadcast Networks • Centralized Servers • Threats to Server Security • Unused Services and Open Ports • Unpatched Services • Inattentive Administration • Inherently Insecure Services • Hardening Linux- A Step Toward Security • Knowledge is Power • Configuring Workstation/Server Security • Password Protecting GRUB • Password Protecting LILO • Password Security — Secure User Account on the Machine • Configure Network Services • Securing Servers with TCP Wrappers and Xinetd • Controlling Root Access with SUDO • Evaluating SUID and SGID file • Evaluating which Ports are Listening • Configure the /etc • /rc or /etc/init.d Files Module 5: Attacking Systems - Novell Netware This module explores vulnerabilities, exploits and hacking tools with respect to Novell Netware. • Overview of Novell NetWare and security • Basic Network Security • File System Security • Secure Authentication Services (SAS) • eDirectory • NDS Object and Property Rights • NDS and Role-Based Management • NDS Replica Location • Understanding Security Equivalence • Inheritance • IRF (Inherited Right Filter)
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 5 of 12
• NCP security (signature levels) • Transaction Tracking System (TTS) • User Policy Compliance • The Administrator Account • Intrusion Detection (Authentication) • Accounts Used by Applications • Hidden Organization Units • Preventing Tree Browsing • Security from Viruses • Certificates and Certificate Authorities • Novell CA • Novell Public Key Infrastructure (PKI) Services • Novell International Cryptographic Infrastructure (NICI) • NLM Integrity • Novell Web Server and FTP • Operating System Service Packs • Common Attacks and Vulnerabilities • Attacker Motivations • Attack Summary • Common Attack & Vulnerabilities • Excessive default rights • Viruses, Worms, Trojan Horses • NDS Backdoors • Denial of Service (DoS) Attacks • Sniffing Attacks • Spoofing attacks • Server Console Attacks • Password Attacks • Login Program Attacks • Administrative Flaws • Vendor Flaws • The Pandora Hack • Tools & techniques • Connecting to the Server • Enumerating the Server • Bindery • Bindin • Nlist • CX • NDS Tree • Password Guessing • Detecting Intruder Lockout • Gaining Administrator • Pillaging • Usage of Map Command • Nwpcrack Tool • Application Vulnerabilities • NetWare PERL • NetWare web server • Usage for Gameover Tool • Run gameover • Obtaining NDS Files • Dsmaint • Jcmd • Crypto and Crypto2 (By: Pandora) • Console Logs • Backdoors Module 6: Attacking Systems – Web Applications As companies race to make content and a gamut of services accessible through the web, they introduce further vulnera information systems. This module explores the web-based framework in which vulnerabilities may be exploited through penetration testing methods and tools. • Overview of Web Application • What exactly is a Web application? • Proxy • Common Vulnerabilities & Attacks • Web Server Vulnerabilities • Host Vulnerabilities • Web Server Software Vulnerabilities • Security Issues
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 6 of 12
• Fingerprinting the Web Application Environment • TCP/ICMP and Service Fingerprinting • The Blackbox Testing Method • SQL Injection Vulnerabilities • PHP and MySQL Injection execution • Cookies • Logic Flaws • Securing Web Application & Best Practices • How to Secure a Public Server • Best Practices for Web Applications • Log suspicious errors • Windows 2000 + IIS 5 • Whois lookup • Nmap • Nessus • Brute force password cracking • Other Useful Tools Module 7: Attacking Systems - Database Servers The intricacies of different database vulnerabilities, exploits and how to secure the database through detection and patc Various tools and techniques available for detecting the vulnerabilities in the database are also covered. • Overview of Database Server • What is a Database? • Database Management System (DMS) • What does a DMS do? • Who interacts directly with a DMS? • Types of Databases • Vulnerabilities and Common Attacks on Database Servers • Common Vulnerabilities • Database Server Vulnerabilities • Indirect attacks or SQL Injection • Direct Attacks • Database Security • Database Security – Oracle • Install only what is required • Lock and Expire Default User Accounts • Change Default User Passwords • Enable Data Dictionary Protection • Practice Principle of Least Privilege • Enforce Access Controls Effectively • Restrict Network Access • Apply all Security Patches and Workarounds • Contact Oracle Security Products • Database Security – MySQL • Three-tier Design • Access Control • Roles • Integrity • Encryption • Specific MySQL Security Considerations • The MySQL Permission Model • More Advanced Tips • Database Backups • Add-ons • Database Security – MS SQL Server • Administrator Checklist • Developer Checklist • Software Vendor Checklist • Tools & Techniques • Tools • Other Tools • SQL Injection Examples • Tasks for Tools and Techniques • Extended Stored Procedure • Microsoft Baseline Security Analyzer (MBSA) • SQLPing2 • SQLdict Dictionary Attack Tool • Shutdown SQL Server Remotely • Retina Sapphire SQL Worm Scanner • oSQL.exe Tool
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 7 of 12
• Websleuth Tool • ForceSQLTool Module 8: Attacking Networks - Firewalls & IDS This module explores methods used to bypass and attack both Firewalls and IDS using various tools, and how to test a same. In addition, we will also examine the specific vulnerabilities of Check Point and Pix Firewall. • Overview of Firewall and IDS • What is a Firewall? • Types of Firewalls • Packet Filtering Firewall • Application Firewall • Stateful Inspection Firewall • Difference between Software and Hardware based Firewall • Major Firewall vendors • Check Point Firewall • Cisco PIX Firewall • What is an IDS? • Types of IDS’s • Network Based Intrusion Detection (NIDS) • Host-Based IDS • Evasive Techniques • Placement of Firewall • Firewall Evading Techniques • Protocol Tunneling • Firewall Attack Techniques • Tools: Firewall Attack & Evade • Placement of IDS • Vulnerabilities in IDS • Evading IDS • IDS Attack Techniques • Tools: IDS Attack & Evade • Vulnerabilities of Check Point Firewall • Open SSL ASN.1 Parsing Vulnerabilities • Vulnerabilities of PIX Firewall • Cisco PIX SSH/ Telnet DOS Vulnerability • Cisco Malformed SNMP Message Denial of Service Vulnerabilities • Tasks for PIX Firewall Vulnerabilities. • Testing and Securing Firewalls • Open Ports on Firewall • Using Nmap • Using Look@Lan • Vulnerability Scanning using NetRecon • Vulnerabilities Scanning using Retina • Check Point Firewall-1 Information Leakage • Rule Base Audit • Tasks for Testing and Securing Firewall • Overview of finding open ports in a Firewall Module 9: Attacking Networks – Wireless LANs The module has been designed for both beginners and advanced students. We explore how to detect a wireless netwo wireless data, identify the authentication parameters and mechanisms in a network, and mount passive and active attac networks. We then prepare defensive strategies for wireless LAN’s. • Introduction to Wireless Networks • IEEE 802.11 Wireless • W-LAN Environments • W-LAN Network Characteristics • Bluetooth • Home RF • IrDA • Infrared • Security • Stability • WiLAN (IEEE 802.11) • Wireless Standards • 802.11 BACKGROUND • IEEE 802.11 Terminologies • Distribution System
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 8 of 12
• Access Points • Wireless Medium • Stations • 802.11 FAMILIES • 802.11 • 802.11a • 802.11b (Wi-Fi) • 802.11g • WLAN Components • Security Mechanisms in WLAN • Authentication • Open authentication • Shared Authentication • 802.1x EAP • Open issues of EAP: • EAP – MD5(Message Digest Algorithm) • EAP-TLS (Transport Layer Security) • PEAP (Protected Extensible Authentication Protocol) • LEAP (Lightweight Extensible Authentication Protocol) • Encryption Mechanisms • WEP (Wired Equivalent Privacy) • How WEP works • TKIP(Temporal Key Integrity Protocol) • Advanced Encryption Standard (AES) • Wireless Vulnerabilities • RF Signal Leakage • Loopholes for Rogue Client • Loopholes for Rogue Access Points • Open Physical Layer • Broadcast Monitoring • ArpSpoof Monitoring • Base Station Clone (Evil Twin) intercept traffic • AP and Client Misconfigurations • Base Station Security Assessments • Interference • Weak RC4 key vulnerabilities • Tasks for Wireless Vulnerabilities • Detecting Wireless Network • WLAN Sniffing • Wireless Attacks • Passive Attacks • Cracking WEP keys • Dictionary Based Attacks • Active attacks • Message Modification: • Message Injection: • Authentication Spoofing • Man in the Middle Attack • Spoofing Attacks • Denial of Service Attacks • Jamming Attacks • Comparison of Active Attacks with Passive attacks • Tasks for Wireless Attacks • MAC Spoofing • WEP Cracking and Network Detection • Denial of Service • Attack Tools • Asleap • BSD Airtools • Kismet • WEPcrack • Mini Stumbler • Operating System Supported • Hardware cards supported • Aerosol-0.65 • Operating System Requirements • System Requirements: WinPcap_3_0_a4.exe Installed – Packet capture library for windows. • Cards supported • NetStumbler 0.4.0 • Airopeek • Tasks for Attack Tools • WEP Cracking using Brute Force + Weak Key
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 9 of 12
• Wireless Scanner • Defense Strategies • Changing Default Configurations • MAC Address Filtering • RADIUS Authentication • Enabling WEP • Better Key Management • VPNs • Access Point Placement • Proactive Network Sniffing Module 10: All About Malware ‘Malware’ is short for malicious software and is a generic term used to refer to any software designed to cause damage or computer network. Malware may be viruses, worms, Trojans, backdoors, keyloggers or spyware, and this module ex aspects of malware in detail. • Virus and Worms • Malicious Code • Viruses • Background • How does a Virus Spread • Virus File Extensions • Virus Structure • Classification of Viruses • Worms • Top Five Viruses and Worms • Sasser Worm • Sasser Symptoms • Code Red Worm • Nimda Worm • ‘ILoveYou’ Virus • Win95.CIH Virus • Tools to detect Virus and Worm-affected Systems • Retina Sasser Worm Scanner • Retina MyDoom Scanner • Retina Sapphire SQL Worm Scanner • Retina Nimda Scanner • Avoiding Virus and Worm Infections • Tasks for Virus and Worms • Introduction to Malware • Sasser worm • Code Red and Nimda Worms • Trojans and Backdoors • Trojan Horse • How Does a Trojan Work? • Autostart Folder • Explorer Startup • Registry Shell Open • ICQ Net Detect Method • ActiveX Component • Features of Trojans • Remote Access Trojans • Password Sending Trojans • Keylogger Trojans • Destructive Trojans • Denial of Service (DoS) Attack Trojans • Proxy/Wingate Trojans • FTP Trojans • Software Detection Killers • How are Trojans Installed? • Trojans Infect via ICQ • Various ways of getting infected via ICQ • IRC (Internet Relay Chat) • Email Attachments • An Attacker gets Physical Access • Browser and E-mail Software Bugs • Netbios (File Sharing) • Fake Programs • Identity Detection • Spying on Victim’s Information • Trojan Ports
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 10 of 12
• Backdoors • Tools for Trojans and Backdoors • NetBus • SubSeven • BackOrifice • Back Orifice Features • BO2K Configuration Wizard • Donald Dick • RECUB Backdoor • Anti-Trojan Software • TDS-3 Trojan Defence Suite (TDS) • LockDown2000 • Trojan Remover Anti-Trojan software • Pest Patrol • Tauscan Trojan scanner • LogMonitor • PrcView • Tasks for Trojan Horses Virus and Worms • NetBus Trojan • SubSeven Trojan • BO2K Trojan • Donald Dick • Recub Backdoor • Keyloggers and Spyware • Keylogging • eBlaster • WinSpy • Starr ActMon • Perfect Keylogger • ActiveX Advanced Key Logger • Hardware Keyloggers • Tasks for KeyLogger and Spyware • ActMon Spyware • Perfect KeyLogger Spyware • Win-Spy Spyware Module 11: Network Vulnerability Assessment Report Writing This module assists the security professional in understanding the process involved in conducting a Network Vulnerabil finally putting it down in the form of a report. We also determine the severity of the risks that networks face and the mos countermeasures to mitigate those risks. Writing a report on Network Vulnerability Assessment is an art which is developed with years spent in the field of Inform aim is to provide an insight into the nuances of report writing for aspiring Certified Penetration Testing Professionals. We discuss the Project Overview Statements and the Project Scope Document, which form an important part of the Ne Analysis. To be successful, the Network Vulnerability Assessment team will have to identify what the network security c the vulnerability analysis and finally make a comprehensive report. • Information Security Life Cycle • Goals of Vulnerability Assessment • What is the ideal size for a Report? • What are Vulnerabilities? (A Management Perspective) • Classes of Vulnerabilities • Elements of a Good Vulnerability Assessment • Project Scoping • Project Overview Statement • Developing the Project Overview Statement • Example of a Completed Project Overview Statement • Developing the Project Scope • Bottom-Up Scope Questionnaire • Configuration Audit • Project Scope Document • Review the Documentation • Project Scope Change • Project Scope Change Request • NVA Sample Report • Overview • Your Company • Vulnerability Assessment Report • Vulnerability Assessment Team Members
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 11 of 12
• Version History Information • Executive Summary • General Opinion • Personnel • Policies and Procedures • Identification and Authentication (I&A) • Intrusion Detection • Conclusion • Finding Rating Levels • Findings • Log Review and Auditability • Risk Analysis Procedure • Incident Management and Response • Information Awareness Program • Security Architecture • IDS • Security Architecture • User Identification and Authentication • Password Strength • Unencrypted Passwords • User Account Management • Violations of Operations Security Procedures • Violations of Physical Security Procedures • Physical Access to Critical Workspaces • SNMP • TCP Sequence Prediction • Outside Availability of Telnet • Firewall, DMZ and Proxying • Anomalous Network Events • Developer Access to Production Systems • Sun Development Cluster • Mail Server • Production Web Server ISAPI Vulnerability • Development Web Server • WINS/DHCP Server XXX_ntadmin • Null Sessions • Visual Basic Scripting • Default Workstation Install • Configuration Audit and Change Control • Vulnerability Assessment Test Protocol • Zero-Information-Based (ZIB) Footprint Analysis • Address Space Scan • Point Scan • Document Examination • Platform Configuration Assessment • Network Scan/Attack Simulation from within the Target Network Segment • Verification • Analysis and Reporting • Exceptions to the Vulnerability Assessment Test Protocol • Standards Applied • Common Criteria • Common Methodology • Functional Areas of Vulnerability • ISO 17799 • Reference Model • The Standard Information Protection Model • Client Trust Model • List of Tests Performed • Network-Based Tests • List of IP Addresses Tested • Specific IP Address Targeted for Point Scans by ISS and NetRecon • Specific IP Addresses Used for the ESM Configuration Audit • Specific ISS Tests Conducted during Point Scans • Specific NetRecon Tests conducted during Point Scans • Specific ESM Policy Tests conducted • Remote Access Phone Dialing Tests • Physical Security Tests • Social Engineering Tests • Zero-Information-Based (ZIB) Summary • Administrative Controls Summary • Interviews Summary • Information Security Concept Flow
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 12 of 12
• Final Figure of CLIENT Network Diagram • Supplemental CD Readme File
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Page 1 of 12
Certified Penetration Testing Professional CPTP
Instructor-Led Course 5 Days
Modules Updated July 05 2004
For detailed course overview Click Here
CPTP Modules
Module 1: Hacking Techniques I Penetration testing is a process of testing the weakness of a secured or non-secured system or network. A team of spe techniques and exploit the targeted system or network to test levels of security to simulate the results of a real attack. P helps an organization determine the level of security of their system or network and identify the weak elements that nee also aids in evaluating an organization's detection, response capabilities and determines whether proper controls are in • Penetration Testing • Methodology for Penetration Testing • Network Surveying • Port Scanning • System Fingerprinting • Services Probing • Automated Vulnerability Scanning • Exploit Research • Manual Vulnerability Testing and Verification • Application Testing • Firewall & Access Control List Testing • Intrusion Detection System (IDS) Testing • Document Grinding - Electronic Dumpster Diving • Password Cracking • Denial of Service Testing • IDS & Server Logs Review • Understanding Network Survey • Understanding Port Scanning • Understanding System finger Printing • Understanding Service Probing • IP Address location tracing • Information Gathering • Passive Information Gathering • Whois Search • EDGAR Database • Company Homepage • Search Engines • Active Information Gathering • Ping • TTL Values • Traceroute • NSLookup • Finger • DIG • Banner Grabbing Techniques • Information gathering using various tools • Sam Spade • VisualRoute • Hping2 • Smart Whois • eMailTrackPro • Grabbb • NeoTrace • Netcat • Discovering organization related information, related domains, sever OS and web server version. • Information gathering using search engines • Port Scanning • Port Scanning Techniques • TCP connect () scan • TCP SYN scan • IP protocol scan • TCP FIN scan • NULL scan • Xmas scan
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 2 of 12
• ACK scan • FTP Bounce attack • Performing a Port Scan • Expected Results • Enumerating Ports • Port Number • Port Scanning Tools • Angry IP Scanner • Super Scan • Nmap • XProbe - Active OS Fingerprinting Tool • NetScan • ScanPort • WS_Ping ProPack • IPEye • HTTRACK Web Copier • Tasks for Port Scanning • Port Scanning Techniques • Banner Grabbing Techniques • Email Tracing • Active OS Finger Printing • Port Scanning WS_Ping Propack Module 2: Hacking Techniques II Vulnerability scanning is a manual or automated process of proactively identifying weaknesses in the devices which are network. All networks expose a huge amount of information to potential attackers if they are not properly configured. Attackers look for targets of opportunity to break into a network, such as weak passwords, insecure software installation known security issues, backdoor administration programs, unsecured DMZ systems and firewalls, unsecured modems of the popular wireless LAN. Further, attackers are increasingly employing inverse scanning, blind scans and bounce sc source and intentions. They are also targeting firewalls and attempting to understand and manipulate rule sets to penet network. • Vulnerability Scanning • Automated vulnerability Scanning tools • Open Source vulnerability scanners • Commercial vulnerability Scanners • MBSA Command-Line Options • MBSA Scanning Options • Enumeration • NetBIOS Enumeration • Null Session • Net Commands • NBTSTAT Command • SNMP Enumeration • Enumeration Tools • Enum • NBTScan: NetBIOS Name Network Scanner • GetAcct • NetBIOS Auditing Tool • Smbbf Auditing Tool • DUMPSEC • DumpEvt • DumpReg • NetUsers • User2SID and SID2User • Userinfo • RPCdump • Ifids • Walksam • Solar wind • SNScan • Onesixtyone 0.3.2 SNMP Scanner • Advanced Vulnerabilities and Exploitation Techniques • Linux Ptrace vulnerability & exploitation • Apache-Openssl Buffer Overflow vulnerability (CAN-2002-0656) • SCOPOP Remote root Buffer overflow vulnerability • Solaris /bin/login buffer Overflow vulnerab- ility • eMule DecodeBase16 Buffer Overflow • Automated Exploitation Tools
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 3 of 12
• Core Impact • CANVAS • Buffer Overflows • Denial of Service and Distributed Denial of service attacks • Denial of Service Attacks • Distributed Denial-of-Service Attack Module 3: Attacking Systems – Windows 2000/2003 This module examines vulnerabilities in Windows 2000/2003 and the methods used to exploit the same. • Overview of Windows System & Architecture • Windows Architecture Overview • Windows Terminology • Objects in NT • Server vs Workstation • Common Vulnerabilities & Attacks on Windows Systems • Local Based Vulnerabilities • Network Based Vulnerabilities • Exploiting Local Vulnerabilities & Privilege Escalation • Introduction • Exploit • Exploiting the password disclosure vulnerability in Microsoft’s LSASS (LSADUMP2) • Tasks for Module 3 Exploiting Local Vulnerabilities & Privilege Escalation • Microsoft Windows lsass.exe local exploit (Exploiting local vulnerabilities & privilege escalation) • LSADUMP2 (Exploiting local vulnerabilities & privilege escalation) • Attacking Microsoft’s NetBios • The NetBios null session vulnerability • Exploiting Microsoft’s Network Share Provider SMB request buffer overflow (SMBdie DoS) • Brute force attacking NetBios passwords • Attacking Microsoft’s NetBios • SMBdie (Attacking Microsoft’s) • Attacking Microsoft’s Network Services • Exploiting Windows Local Security Authority Service Remote Buffer Overflow • Determine the version of the target operating system • Windows RPC DCOM buffer overflow exploit • Exploiting heap overflow in Microsoft messenger service • Tasks for Attacking Microsoft’s Network Services • Remote LSASS.EXE Exploit Module 4: Attacking Systems – Linux Students are introduced to the core concepts of the Linux OS. Also covered are the intricacies of Linux Vulnerabilities; u cracker will enter the system and also how to stop a cracker from doing so. Additionally, the module deals with ways to detecting and patching Linux Vulnerabilities. • Linux Boot Camp • Introduction • Linux History • Linux Concepts • Introduction to the Linux File System • Types of Files • The File System in Reality • The Kernel • The Shell • Common Configuration Files in Linux • File Permissions and Access • What is chroot? • The Single-user Mode of Linux • Source Code of Linux • Linux Vulnerabilities • ‘Rooting’ a Linux Machine • Reasons for Capturing Machines • Gaining Access to a Linux Machine • Physical Access Based Attacks • System Based Attacks • Kernel Based Attacks • Important Tool: Kernel root-kits • What is a root-kit? • Working Methodology of a root-kit • Detecting and Stopping root-kits
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 4 of 12
• Linux Server Vulnerabilities • Apache Vulnerabilities • Multiple Vulnerabilities in Apache 2.0 – (CAN 2004-0174) • Buffer Overflow in mod-alias from Configuration File (CAN 2003-0542) • Flaw in Chunked Encoding (CVE 2002-0392) • Apache 2.0 mod_ssl Denial of Service • Potential Vulnerabilities in Apache pre 1.3.27 • Batch File Processing Vulnerability (CVE- 2002-0061) • Illegal Operation Handling Flaw (CVE-2001-1342) • Securing Apache • Securing Sendmail • Linux Tools of Trade • CORE IMPACT • Description • Usage • Example of Core Impact • Trace Route / Xtrace Route • Description • Usage • Example of traceroute • Nmap • Description • Usage • Example of nmap • Ethereal • Description • Usage • Example of Etheral • SuperScan 3.0 • Description • Usage • Example of SuperScan • Hardening Linux • Understanding System Security • Threats to Network Security • Insecure Architectures • Broadcast Networks • Centralized Servers • Threats to Server Security • Unused Services and Open Ports • Unpatched Services • Inattentive Administration • Inherently Insecure Services • Hardening Linux- A Step Toward Security • Knowledge is Power • Configuring Workstation/Server Security • Password Protecting GRUB • Password Protecting LILO • Password Security — Secure User Account on the Machine • Configure Network Services • Securing Servers with TCP Wrappers and Xinetd • Controlling Root Access with SUDO • Evaluating SUID and SGID file • Evaluating which Ports are Listening • Configure the /etc • /rc or /etc/init.d Files Module 5: Attacking Systems - Novell Netware This module explores vulnerabilities, exploits and hacking tools with respect to Novell Netware. • Overview of Novell NetWare and security • Basic Network Security • File System Security • Secure Authentication Services (SAS) • eDirectory • NDS Object and Property Rights • NDS and Role-Based Management • NDS Replica Location • Understanding Security Equivalence • Inheritance • IRF (Inherited Right Filter)
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 5 of 12
• NCP security (signature levels) • Transaction Tracking System (TTS) • User Policy Compliance • The Administrator Account • Intrusion Detection (Authentication) • Accounts Used by Applications • Hidden Organization Units • Preventing Tree Browsing • Security from Viruses • Certificates and Certificate Authorities • Novell CA • Novell Public Key Infrastructure (PKI) Services • Novell International Cryptographic Infrastructure (NICI) • NLM Integrity • Novell Web Server and FTP • Operating System Service Packs • Common Attacks and Vulnerabilities • Attacker Motivations • Attack Summary • Common Attack & Vulnerabilities • Excessive default rights • Viruses, Worms, Trojan Horses • NDS Backdoors • Denial of Service (DoS) Attacks • Sniffing Attacks • Spoofing attacks • Server Console Attacks • Password Attacks • Login Program Attacks • Administrative Flaws • Vendor Flaws • The Pandora Hack • Tools & techniques • Connecting to the Server • Enumerating the Server • Bindery • Bindin • Nlist • CX • NDS Tree • Password Guessing • Detecting Intruder Lockout • Gaining Administrator • Pillaging • Usage of Map Command • Nwpcrack Tool • Application Vulnerabilities • NetWare PERL • NetWare web server • Usage for Gameover Tool • Run gameover • Obtaining NDS Files • Dsmaint • Jcmd • Crypto and Crypto2 (By: Pandora) • Console Logs • Backdoors Module 6: Attacking Systems – Web Applications As companies race to make content and a gamut of services accessible through the web, they introduce further vulnera information systems. This module explores the web-based framework in which vulnerabilities may be exploited through penetration testing methods and tools. • Overview of Web Application • What exactly is a Web application? • Proxy • Common Vulnerabilities & Attacks • Web Server Vulnerabilities • Host Vulnerabilities • Web Server Software Vulnerabilities • Security Issues
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 6 of 12
• Fingerprinting the Web Application Environment • TCP/ICMP and Service Fingerprinting • The Blackbox Testing Method • SQL Injection Vulnerabilities • PHP and MySQL Injection execution • Cookies • Logic Flaws • Securing Web Application & Best Practices • How to Secure a Public Server • Best Practices for Web Applications • Log suspicious errors • Windows 2000 + IIS 5 • Whois lookup • Nmap • Nessus • Brute force password cracking • Other Useful Tools Module 7: Attacking Systems - Database Servers The intricacies of different database vulnerabilities, exploits and how to secure the database through detection and patc Various tools and techniques available for detecting the vulnerabilities in the database are also covered. • Overview of Database Server • What is a Database? • Database Management System (DMS) • What does a DMS do? • Who interacts directly with a DMS? • Types of Databases • Vulnerabilities and Common Attacks on Database Servers • Common Vulnerabilities • Database Server Vulnerabilities • Indirect attacks or SQL Injection • Direct Attacks • Database Security • Database Security – Oracle • Install only what is required • Lock and Expire Default User Accounts • Change Default User Passwords • Enable Data Dictionary Protection • Practice Principle of Least Privilege • Enforce Access Controls Effectively • Restrict Network Access • Apply all Security Patches and Workarounds • Contact Oracle Security Products • Database Security – MySQL • Three-tier Design • Access Control • Roles • Integrity • Encryption • Specific MySQL Security Considerations • The MySQL Permission Model • More Advanced Tips • Database Backups • Add-ons • Database Security – MS SQL Server • Administrator Checklist • Developer Checklist • Software Vendor Checklist • Tools & Techniques • Tools • Other Tools • SQL Injection Examples • Tasks for Tools and Techniques • Extended Stored Procedure • Microsoft Baseline Security Analyzer (MBSA) • SQLPing2 • SQLdict Dictionary Attack Tool • Shutdown SQL Server Remotely • Retina Sapphire SQL Worm Scanner • oSQL.exe Tool
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 7 of 12
• Websleuth Tool • ForceSQLTool Module 8: Attacking Networks - Firewalls & IDS This module explores methods used to bypass and attack both Firewalls and IDS using various tools, and how to test a same. In addition, we will also examine the specific vulnerabilities of Check Point and Pix Firewall. • Overview of Firewall and IDS • What is a Firewall? • Types of Firewalls • Packet Filtering Firewall • Application Firewall • Stateful Inspection Firewall • Difference between Software and Hardware based Firewall • Major Firewall vendors • Check Point Firewall • Cisco PIX Firewall • What is an IDS? • Types of IDS’s • Network Based Intrusion Detection (NIDS) • Host-Based IDS • Evasive Techniques • Placement of Firewall • Firewall Evading Techniques • Protocol Tunneling • Firewall Attack Techniques • Tools: Firewall Attack & Evade • Placement of IDS • Vulnerabilities in IDS • Evading IDS • IDS Attack Techniques • Tools: IDS Attack & Evade • Vulnerabilities of Check Point Firewall • Open SSL ASN.1 Parsing Vulnerabilities • Vulnerabilities of PIX Firewall • Cisco PIX SSH/ Telnet DOS Vulnerability • Cisco Malformed SNMP Message Denial of Service Vulnerabilities • Tasks for PIX Firewall Vulnerabilities. • Testing and Securing Firewalls • Open Ports on Firewall • Using Nmap • Using Look@Lan • Vulnerability Scanning using NetRecon • Vulnerabilities Scanning using Retina • Check Point Firewall-1 Information Leakage • Rule Base Audit • Tasks for Testing and Securing Firewall • Overview of finding open ports in a Firewall Module 9: Attacking Networks – Wireless LANs The module has been designed for both beginners and advanced students. We explore how to detect a wireless netwo wireless data, identify the authentication parameters and mechanisms in a network, and mount passive and active attac networks. We then prepare defensive strategies for wireless LAN’s. • Introduction to Wireless Networks • IEEE 802.11 Wireless • W-LAN Environments • W-LAN Network Characteristics • Bluetooth • Home RF • IrDA • Infrared • Security • Stability • WiLAN (IEEE 802.11) • Wireless Standards • 802.11 BACKGROUND • IEEE 802.11 Terminologies • Distribution System
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 8 of 12
• Access Points • Wireless Medium • Stations • 802.11 FAMILIES • 802.11 • 802.11a • 802.11b (Wi-Fi) • 802.11g • WLAN Components • Security Mechanisms in WLAN • Authentication • Open authentication • Shared Authentication • 802.1x EAP • Open issues of EAP: • EAP – MD5(Message Digest Algorithm) • EAP-TLS (Transport Layer Security) • PEAP (Protected Extensible Authentication Protocol) • LEAP (Lightweight Extensible Authentication Protocol) • Encryption Mechanisms • WEP (Wired Equivalent Privacy) • How WEP works • TKIP(Temporal Key Integrity Protocol) • Advanced Encryption Standard (AES) • Wireless Vulnerabilities • RF Signal Leakage • Loopholes for Rogue Client • Loopholes for Rogue Access Points • Open Physical Layer • Broadcast Monitoring • ArpSpoof Monitoring • Base Station Clone (Evil Twin) intercept traffic • AP and Client Misconfigurations • Base Station Security Assessments • Interference • Weak RC4 key vulnerabilities • Tasks for Wireless Vulnerabilities • Detecting Wireless Network • WLAN Sniffing • Wireless Attacks • Passive Attacks • Cracking WEP keys • Dictionary Based Attacks • Active attacks • Message Modification: • Message Injection: • Authentication Spoofing • Man in the Middle Attack • Spoofing Attacks • Denial of Service Attacks • Jamming Attacks • Comparison of Active Attacks with Passive attacks • Tasks for Wireless Attacks • MAC Spoofing • WEP Cracking and Network Detection • Denial of Service • Attack Tools • Asleap • BSD Airtools • Kismet • WEPcrack • Mini Stumbler • Operating System Supported • Hardware cards supported • Aerosol-0.65 • Operating System Requirements • System Requirements: WinPcap_3_0_a4.exe Installed – Packet capture library for windows. • Cards supported • NetStumbler 0.4.0 • Airopeek • Tasks for Attack Tools • WEP Cracking using Brute Force + Weak Key
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 9 of 12
• Wireless Scanner • Defense Strategies • Changing Default Configurations • MAC Address Filtering • RADIUS Authentication • Enabling WEP • Better Key Management • VPNs • Access Point Placement • Proactive Network Sniffing Module 10: All About Malware ‘Malware’ is short for malicious software and is a generic term used to refer to any software designed to cause damage or computer network. Malware may be viruses, worms, Trojans, backdoors, keyloggers or spyware, and this module ex aspects of malware in detail. • Virus and Worms • Malicious Code • Viruses • Background • How does a Virus Spread • Virus File Extensions • Virus Structure • Classification of Viruses • Worms • Top Five Viruses and Worms • Sasser Worm • Sasser Symptoms • Code Red Worm • Nimda Worm • ‘ILoveYou’ Virus • Win95.CIH Virus • Tools to detect Virus and Worm-affected Systems • Retina Sasser Worm Scanner • Retina MyDoom Scanner • Retina Sapphire SQL Worm Scanner • Retina Nimda Scanner • Avoiding Virus and Worm Infections • Tasks for Virus and Worms • Introduction to Malware • Sasser worm • Code Red and Nimda Worms • Trojans and Backdoors • Trojan Horse • How Does a Trojan Work? • Autostart Folder • Explorer Startup • Registry Shell Open • ICQ Net Detect Method • ActiveX Component • Features of Trojans • Remote Access Trojans • Password Sending Trojans • Keylogger Trojans • Destructive Trojans • Denial of Service (DoS) Attack Trojans • Proxy/Wingate Trojans • FTP Trojans • Software Detection Killers • How are Trojans Installed? • Trojans Infect via ICQ • Various ways of getting infected via ICQ • IRC (Internet Relay Chat) • Email Attachments • An Attacker gets Physical Access • Browser and E-mail Software Bugs • Netbios (File Sharing) • Fake Programs • Identity Detection • Spying on Victim’s Information • Trojan Ports
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 10 of 12
• Backdoors • Tools for Trojans and Backdoors • NetBus • SubSeven • BackOrifice • Back Orifice Features • BO2K Configuration Wizard • Donald Dick • RECUB Backdoor • Anti-Trojan Software • TDS-3 Trojan Defence Suite (TDS) • LockDown2000 • Trojan Remover Anti-Trojan software • Pest Patrol • Tauscan Trojan scanner • LogMonitor • PrcView • Tasks for Trojan Horses Virus and Worms • NetBus Trojan • SubSeven Trojan • BO2K Trojan • Donald Dick • Recub Backdoor • Keyloggers and Spyware • Keylogging • eBlaster • WinSpy • Starr ActMon • Perfect Keylogger • ActiveX Advanced Key Logger • Hardware Keyloggers • Tasks for KeyLogger and Spyware • ActMon Spyware • Perfect KeyLogger Spyware • Win-Spy Spyware Module 11: Network Vulnerability Assessment Report Writing This module assists the security professional in understanding the process involved in conducting a Network Vulnerabil finally putting it down in the form of a report. We also determine the severity of the risks that networks face and the mos countermeasures to mitigate those risks. Writing a report on Network Vulnerability Assessment is an art which is developed with years spent in the field of Inform aim is to provide an insight into the nuances of report writing for aspiring Certified Penetration Testing Professionals. We discuss the Project Overview Statements and the Project Scope Document, which form an important part of the Ne Analysis. To be successful, the Network Vulnerability Assessment team will have to identify what the network security c the vulnerability analysis and finally make a comprehensive report. • Information Security Life Cycle • Goals of Vulnerability Assessment • What is the ideal size for a Report? • What are Vulnerabilities? (A Management Perspective) • Classes of Vulnerabilities • Elements of a Good Vulnerability Assessment • Project Scoping • Project Overview Statement • Developing the Project Overview Statement • Example of a Completed Project Overview Statement • Developing the Project Scope • Bottom-Up Scope Questionnaire • Configuration Audit • Project Scope Document • Review the Documentation • Project Scope Change • Project Scope Change Request • NVA Sample Report • Overview • Your Company • Vulnerability Assessment Report • Vulnerability Assessment Team Members
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 11 of 12
• Version History Information • Executive Summary • General Opinion • Personnel • Policies and Procedures • Identification and Authentication (I&A) • Intrusion Detection • Conclusion • Finding Rating Levels • Findings • Log Review and Auditability • Risk Analysis Procedure • Incident Management and Response • Information Awareness Program • Security Architecture • IDS • Security Architecture • User Identification and Authentication • Password Strength • Unencrypted Passwords • User Account Management • Violations of Operations Security Procedures • Violations of Physical Security Procedures • Physical Access to Critical Workspaces • SNMP • TCP Sequence Prediction • Outside Availability of Telnet • Firewall, DMZ and Proxying • Anomalous Network Events • Developer Access to Production Systems • Sun Development Cluster • Mail Server • Production Web Server ISAPI Vulnerability • Development Web Server • WINS/DHCP Server XXX_ntadmin • Null Sessions • Visual Basic Scripting • Default Workstation Install • Configuration Audit and Change Control • Vulnerability Assessment Test Protocol • Zero-Information-Based (ZIB) Footprint Analysis • Address Space Scan • Point Scan • Document Examination • Platform Configuration Assessment • Network Scan/Attack Simulation from within the Target Network Segment • Verification • Analysis and Reporting • Exceptions to the Vulnerability Assessment Test Protocol • Standards Applied • Common Criteria • Common Methodology • Functional Areas of Vulnerability • ISO 17799 • Reference Model • The Standard Information Protection Model • Client Trust Model • List of Tests Performed • Network-Based Tests • List of IP Addresses Tested • Specific IP Address Targeted for Point Scans by ISS and NetRecon • Specific IP Addresses Used for the ESM Configuration Audit • Specific ISS Tests Conducted during Point Scans • Specific NetRecon Tests conducted during Point Scans • Specific ESM Policy Tests conducted • Remote Access Phone Dialing Tests • Physical Security Tests • Social Engineering Tests • Zero-Information-Based (ZIB) Summary • Administrative Controls Summary • Interviews Summary • Information Security Concept Flow
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
Certified Network Security Administrator Training
Page 12 of 12
• Final Figure of CLIENT Network Diagram • Supplemental CD Readme File
http://www.mile2.com/CPTP_modules.html
25-Feb-2006
