CA-ECSALPT-DVD
The ECSA/LPT training program is a highly interactive security course designed to teach Security Professionals the advanced uses of the available methodologies, tools and techniques required to perform comprehensive information security tests. Students will learn how to design, secure and test networks to protect your organization from the threats hackers and crackers pose. By teaching the LPT methodology and ground breaking techniques for security and penetration testing, this course will help you perform the intensive assessments required to effectively identify and mitigate risks to the security of your infrastructure. As students learn to identify security problems, they also learn how to avoid and eliminate them, with the course providing complete coverage of analysis and network security-testing topics. This course will prepare you to pass exam 412-79 to achieve EC-Council Certified Security Analyst (ECSA) certification
Career Academy is an EC-Council endorsed training provider. We have invited the best security trainers in the industry to help us develop the ultimate training and certification program which includes everything you will need to fully prepare for and pass your certification exams. This officially endorsed product gives our students access to the exam by providing you with a Voucher Number. The EC-Council Voucher Number can be used at any Prometric center, this voucher number is required and mandatory for you to schedule and pay for your exam. Without this voucher number Prometric will not entertain any of your requests to schedule and take the exam. Note: The cost of the exam is not included in this package.
Wayne Burke - CEH, EC-Council Master Certified Instructor
Wayne Burke, Founder and CIO of SecureIA, is a captain of a global operating group of penetration testers and security experts. Wayne and his group have delivered assignments and customized training for Law Enforcement, Police, various Military Units, NSA, FBI, EPA and similar government bodies from South America, Africa, Philippines, Singapore, Malaysia and numerous Gulf locations to name a few from around the world. His office has become his next 12 hour international flight�.
In Europe he works for numerous government agencies, corporate institutes and the military. Wayne is the creator of many popular security training tracks and has built the Certified Penetration Testing� series. Wayne has had considerable IT Security experience in the fields of: Penetration Testing aka Ethical Hacking, Digital Forensics and Wireless Technologies.
His experience in the public / defense sectors is equally complemented by assignments undertaken for heavyweight world renowned corporations including Yahoo, Xerox, AT&T and Texas Instruments to name but a few. He is imminently qualified in his field in that he holds a string of professional qualifications in Networking to name a few (MCT, MCSE, Cisco, Network+) and IT Security (CIW Security Analyst , Security+, CEI, CEH, CPTE, CDFI, CPTM) besides a bachelor\'s degree in science
Course Features:
* Main Menu
Move through hours of in-depth content - quickly and easily due to the efficient and organized structure.
* PowerPoint
Utilizing PowerPoint presentations enhances the delivery by displaying a variety of visual information to the user. This type of representation allows the user to better interpret the material through charts, definitions, graphs, and more...
* Controls
Move forward, back, and repeat entire topics or just a section. A progress bar illuminates as you advance through exercises.
* Full Motion Video
All courses feature full-motion videos of instructors teaching the information as if they are speaking directly to you. Our unique delivery simulates a one-on-one classroom environment creating a more personal lesson and learning experience.
* Study Guides
Printable study guides for the entire course are available. This allows all material to be viewed, reviewed, and printed for viewing at a later date.
* Review Exercises
Each section has a review quiz to aid in the learning process by validating the comprehension of the material covered before moving on to a new section.
* Resume
All courses are resumed to where you left off last session allowing you to learn when it is convenient for you without the hassle of remembering where you where.
* Live Demonstrations
Demonstrations are a way for the instructor to show and tell the user how to perform a task by actually doing it on screen in front of them. In this format it gives the user the power to see things done by a professional in the intended environment as many times as they would like.
* Certificate of Completion
Career Academy is recognized worldwide for its technology-based IT training curriculums. Upon successful completion of our program, you will be receiving a Career Academy Distance Education Certificate of Completion.
Course Outline
Module 00 - Student Introduction
Student Introduction
Certification
ECSA Track
LPT Track
What next after ECSA Training?
Demo - Overview of Available Resources
Lab Sessions
Student Introduction Review
Module 01 - The Need for Security Analysis
The Need for Security Analysis
What are we Concerned About?
So What are you Trying to Protect?
Why are Intrusions so Often Successful?
What are the Greatest Challenges?
Environmental Complexity
New Technologies
New Threats and Exploits
Demo - Keep Updated with Research
Limited Focus
Limited Expertise
Tool: Data Loss Cost Calculator
Demo - Tech//404 Data Loss Calculator
In Order to Ensure�
Authentication
Authorization
Confidentiality
Integrity
Availability
Non-Repudiation
We Must be Diligent
Threat Agents
Assessment Questions
How Much Security is Enough?
Risk
Simplifying Risk
Risk Analysis
Risk Assessment Answers Seven Questions:
Steps of Risk Assessment
Demo - Risk Assessment
Demo - CIO-view Self-assessment
Risk Assessment Values
Demo - Quantitative Threat Analysis
Information Security Awareness
Security Policies
Security Policy Basics
Demo - Policy Templates
Types of Policies
Promiscuous Policy
Permissive Policy
Prudent Policy
Paranoid Policy
Acceptable-Use Policy
User-Account Policy
Remote-Access Policy
Information-Protection Policy
Firewall-Management Policy
Special-Access Policy
Network-Connection Policy
Business-Partner Policy
Data Classification Policies
Intrusion Detection Policies
Virus Prevention Policies
Laptop Security Policy
Personal Security Policy
Cryptography Policy
Fair and Accurate Credit Transactions Act of 2003 (FACTA)
Other Important Policies
Policy Statements
Basic Document Set of Information Security Policies
ISO 17799
Domains of ISO 17799
No Simple Solutions
U.S. Legislation
California SB 1386
Sarbanes-Oxley 2002
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
USA Patriot Act 2001
U.K. Legislation
How Does This Law Affect a Security Officer?
The Data Protection Act 1998
The Human Rights Act 1998
Interception of Communications
The Freedom of Information Act 2000
The Audit Investigation and Community Enterprise Act 2005
Demo - Vmware Overview
Demo - Opening an Existing XP VMware System
Demo - Opening VM Appliance
Demo - Installing a New VM System
Demo - Booting XP from Backtrack ISO
Module 1 Review
Module 02 - Advanced Googling
Advanced Googling
Site Operator
intitle:index.of
Demo - Default Pages: tsweb
error | warning
Demo - Google as a Proxy
login | logon
username | userid | employee.ID | �your username is�
password | passcode | �your password is�
admin | administrator
�ext:html �ext:htm �ext:shtml �ext:asp �ext:php
inurl:temp | inurl:tmp | inurl:backup | inurl:bak
Google Advanced Search Form
Categorization of the Operators
allinanchor:
allintext:
Demo - Google Locating Live Cams
Locating Public Exploit Sites
Locating Exploits via Common Code Strings
Locating Vulnerable Targets
Locating Targets via Demonstration Pages
Demo - Google Hack HoneyPot
Demo - Goolag and Wikto
Demo - Wikto Results and Google Guide
Module 2 Review
Module 03 - TCP/IP Packet Analysis
TCP/IP Packet Analysis
TCP/IP Model
Demo - TCP/IP Movie Recommendation
Application Layer
Transport Layer
Internet Layer
Network Access Layer
Comparing OSI and TCP/IP
Demo - Engage Packet Builder
TCP
TCP Header
IP Header: Protocol Field
UDP
TCP and UDP Port Numbers
Port Numbers
Demo - Warriors of the Net
IANA
Source and Destination Port Numbers
Demo - Techtionary.com Port Numbers
What Makes Each Connection Unique?
Structure of a Packet
TCP Operation
Three-Way Handshake
Demo - Techtionary.com TCP Handshake
Flow Control
Windowing
Windowing and Window Sizes
Simple Windowing
Acknowledgement
Sliding Windows
Sequencing Numbers
Synchronization
Positive Acknowledgment and Retransmission (PAR)
What is Internet Protocol v6 (IPv6)?
Why IPv6?
IPv4/IPv6 Transition Mechanisms
IPv6 Security Issues
Security Flaws in IPv6
IPv6 Infrastructure Security
Ipsec
Firewalls and Packet Filtering
Denial-of-Service (DoS) Attacks
UDP Operation
Internet Control Message Protocol (ICMP)
ICMP Message Delivery
Format of an ICMP Message
Unreachable Networks
Time Exceeded Message
IP Parameter Problem
ICMP Control Messages
ICMP Redirects
Clock Synchronization and Transit Time Estimation
Information Requests and Reply Message Formats
Address Masks
Router Solicitation and Advertisement
Module 3 Review
Module 04 - Advanced Sniffing Techniques
Advanced Sniffing Techniques
Demo - Basic Sniffers
Demo - Packet Capturing with Windows Packetyzer
What is Wireshark?
Wireshark: Filters
Wireshark: Tshark
Wireshark: Tcpdump
Demo - Tcpdump
Protocol Dissection
Steps to Solve GNU/ Linux Server Network Connectivity Issues
Using Wireshark for Network Troubleshooting
Using Wireshark for System Administration
ARP Problems
Demo - Sniffers and ARP
ICMP Echo Request/Reply Header Layout
TCP Flags
Scenario 1: SYN no SYN+ACK
Scenario 2: SYN Immediate Response RST
Scenario 3: SYN SYN+ACK ACK
Tapping into the Network
Using Wireshark for Security Administration
Sniffer Detection
Wireless Sniffing with Wireshark
Frequency
Using Channel Hopping
Interference and Collisions
Recommendations for Sniffing Wireless Traffic
Analyzing Wireless Traffic
IEEE 802.11 Header
Filters
Unencrypted Data Traffic
Identifying Hidden SSIDs
Identifying EAP Authentication Failures
Identifying WEP
Identifying IPsec/VPN
Decrypting Traffic
Scanning
TCP Connect Scan
SYN Scan
XMAS Scan
Null Scan
Remote Access Trojans
Wireshark DNP3 Dissector Infinite Loop Vulnerability
Time Stamps
Time Zones
Packet Reassembling
Checksums
Module 4 Review
Module 05 - Vulnerability Analysis with Nessus
Vulnerability Analysis with Nessus
Nessus
Features of Nessus
Nessus Assessment Process
Demo - Nessus on Windows
Demo - Nessus on Windows Cont\'d and GFI LANguard Comparison
False Positives
Examples of False Positives
Identifying False Positives
Suspicious Signs
Demo - Backtrack 4 Nessus Install
Module 5 Review
Module 06 - Advanced Wireless Testing
Advanced Wireless Testing
Wireless Concepts
Demo - Techtionary Website
802.11 Types
Core Issues with 802.11
What�s the Difference?
Other Types of Wireless
Spread Spectrum Background
Channels
Access Point
Service Set ID
Demo - Linksys-AP Config SSID
Default SSIDs
Chipsets
Wi-Fi Equipment
Expedient Antennas
Vulnerabilities to 802.1x and RADIUS
Security - WEP
Wired Equivalent Privacy (WEP)
Exclusive OR
Encryption Process
Chipping Sequence
WEP Issues
WEP - Authentication Phase
WEP - Shared Key Authentication
WEP - Association Phase
WEP Flaws
WEP Attack
Demo - Authentication Settings
Demo - WEP Set-Up Security
Demo - Cain and Abel WEP Cracking
WPA Interim 802.11 Security
WPA
Demo - Cracking WPA with Cain and Abel
WPA2 (Wi-Fi Protected Access 2)
802.1X Authentication and EAP
EAP Types
Cisco LEAP
TKIP (Temporal Key Integrity Protocol)
Wireless Networks Testing
Wireless Communications Testing
Report Recommendations
Wireless Attack Countermeasures
Demo - MAC-SSID Security
Wireless Penetration Testing with Windows
War Driving
The Jargon � WarChalking
Wireless: Tools of the Trade
Demo - Kismet in Windows
Demo - Tool: Kismet in Linux
Demo - Vistumbler War Driving and GPS Map Plotting
How Does NetStumbler Work?
�Active� vs. �Passive� WLAN Detection
Disabling the Beacon
Running NetStumbler
Demo - Tool: Netstumbler
AirCrack-ng
AirCrack-ng: How Does it Work?
AirCrack-ng: FMS and Korek Attacks
AirCrack-ng: Notes
Demo - Hacking WEP Encryption
Determining Network Topology: Network View
WarDriving and Wireless Penetration Testing with OS X
Using a GPS
Deauthenticating Clients
StumbVerter
MITM Attack Design
MITM Attack Variables
Hardware for the Attack: Antennas, Amps, and WiFi Cards
Choosing the Right Antenna
Amplifying the Wireless Signal
IP Forwarding and NAT using IPtables
Demo - Jasager fon Router
Module 6 Review
Module 07 - Designing a DMZ
Designing a DMZ
Introduction
DMZ Concepts
DMZ Design Fundamentals
Advanced Design Strategies
Types of Firewall and DMZ Architectures
\"Inside vs. Outside\" Architecture
\"Three-Homed Firewall\" DMZ Architecture
Weak Screened Subnet Architecture
Strong Screened Subnet Architecture
Designing a DMZ using IPtables
Designing Windows DMZ
Precautions for DMZ Setup
Demo - Designing DMZs
Advanced Implementation of a Solaris DMZ Server
Solaris DMZ Servers in a Conceptual Highly Available Configuration
Hardening Checklists for DMZ Servers and Solaris
Placement of Wireless Equipment
Access to DMZ and Authentication Considerations
Wireless DMZ Components
WLAN DMZ Security Best Practices
Ethernet Interface Requirements and Configuration
DMZ Router Security Best Practice
Six Ways to Stop Data Leaks
Module 7 Review
Module 08 - Snort Analysis
Snort Analysis
Snort Overview
Modes of Operation
Features of Snort
Configuring Snort
Snort: Variables
Snort: Pre-processors
Snort: Output Plug-ins
Snort: Rules
How Snort Operates
Initializing Snort
Demo - Snort IDS Testing Scanning Tools
Signal Handlers
Parsing the Configuration File
Decoding
Possible Decoders
Pre-processing
Detection
Content Matching
The Stream4 Pre-processor
Inline Functionality
Writing Snort Rules
Snort Rule Header
Snort Rule Header: Actions
Snort Rule Header: Other Fields
IP Address Negation Rule
IP Address Filters
The direction Operator
Rule Options
Activate/Dynamic Rules
Metadata Rule Options: msg
The reference Keyword
The sid/rev Keyword
The classtype Keyword
Payload Detection Rule Options: content
Modifier Keywords
The uricontent Keyword
The fragoffset Keyword
Writing Good Snort Rules
Tool for Writing Snort Rules: IDS Policy Manager
Honeynet Security Console Tool
Key Features
Module 8 Review
Module 09 - Log Analysis
Log Analysis
Logs
Events that Need to be Logged
What to Look Out For in Logs
Automated Log Analysis Approaches
Log Shipping
Syslog
Setting up a Syslog
System Error Logs
Kiwi Syslog Daemon
Configuring Kiwi Syslog to Log to a MS SQL Database
Configuring a Cisco Router for Syslog
Configuring a DLink Router for Syslog
Gathering Log Files from an IIS Web Server
Apache Web Server Log
AWStats Log Analyzer
Cisco Router Logs
Analyzing Netgear Wireless Router Logs
Wireless Traffic Analysis Using Wireshark
Configuring Firewall Logs in Local Windows System
Viewing Local Windows Firewall Log
Viewing Windows Event Log
Collecting & Monitoring UNIX Syslog
iptables
Log Prefixing with iptables
Firewall Log Analysis with grep
SQL Database Log
Using SQL Server to Analyze Web Logs
Analyzing Oracle Logs: The Oracle Metric Log File
ApexSQL Log
Analyzing Solaris System Logs
Demo - Splunk
Module 9 Review
Module 10 - Advanced Exploits and Tools
Advanced Exploits and Tools
Common Vulnerabilities
Buffer Overflows Revisited
Smashing the Stack for Fun and Profit
Smashing the Heap for Fun and Profit
Format Strings for Chaos and Mayhem
The Anatomy of an Exploit
Demo - Fuzzing for Weaknesses
Vulnerable Code
Shellcode
Shellcode Examples
Shellcode (cont�d)
Demo - Stack Function
Delivery Code
Delivery Code: Example
Demo - Compiling Exploits from Source Code
Linux Exploits versus Windows
Windows versus Linux
Tools of the Trade: Debuggers
Tools of the Trade: GDB
Tools of the Trade: Metasploit
Demo - Metasploit Intro
Demo - Metasploit 101
Demo - Metasploit Interactive
Tools of the Trade: Canvas
Lab
Tools of the Trade: CORE Impact
Ways to Use CORE Impact
Microsoft Baseline Security Analyzer (MBSA)
Network Security Analysis Tool (NSAT)
Sunbelt Network Security Inspector (SNSI)
Demo - Saint Exploit of Windows XP
Demo - dcom101 Exploit Autoshovel of Shell
Demo - dcom Exploit Netcat Shovel of Shell and Extracting Hashes
Demo - Backtrack 4 Milw0rm Metasploit Updates
Module 10 Review
Module 11 - Penetration Testing Methodologies
Penetration Testing Methodologies
Demo - dradis Effective Information Sharing
What is Penetration Testing?
Why Penetration Testing?
What Should be Tested?
What Makes a Good Penetration Test?
Common Penetration Testing Techniques
Penetration Testing Process
Scope of Penetration Testing
Blue Teaming/Red Teaming
Types of Penetration Testing
Black-box Penetration Testing
White-box Penetration Testing
Announced Testing/ Unannounced Testing
Grey-box Penetration Testing
Strategies of Penetration Testing
External Penetration Testing
Internal Security Assessment
Application Security Assessment
Types of Application Security Assessment
Network Security Assessment
Wireless/Remote Access Assessment
Telephony Security Assessment
Social Engineering
Penetration Testing Consultants
Required Skills Sets
Hiring a Penetration Tester
Responsibilities of a Penetration Tester
Profile of a Good Penetration Tester
Why Should the Company Hire You?
Companies� Concerns
Methodology
Demo - NIST Methodology
Demo - PenTest Templates and Methodologies
Penetration Testing Roadmap
Guidelines for Security Checking
Operational Strategies for Security Testing
Security Category of the Information System
Identifying Benefits of Each Test Type
Prioritizing the Systems for Testing
ROI on Penetration Testing
Determining Cost of Each Test Type
Need for a Methodology
Penetration Test vs. Vulnerability Test
Reliance on Checklists and Templates
Phases of Penetration Testing
Pre-Attack Phase
Best Practices
Results that can be Expected
Passive Reconnaissance
Active Reconnaissance
Attack Phase
Activity: Perimeter Testing
Activity: Web Application Testing - I
Activity: Web Application Testing � II
Activity: Wireless Testing
Activity: Acquiring Target
Activity: Escalating Privileges
Activity: Execute, Implant, and Retract
Post-Attack Phase and Activities
Module 11 Review
Module 12 - Customers and Legal Agreements
Customers and Legal Agreements
Why do Organizations Need Pen-Testing?
Initial Stages in Penetration Testing
Understand Customer Requirements
Create a Checklist of Testing Requirements
Penetration Testing �Rules of Behavior�
Demo - ISSAF Customers and Legal
Penetration Testing Risks
Penetration Testing by Third Parties
Precautions While Outsourcing Penetration Testing
Legal Consequences
Demo - Computer Crimes and Implications
Get Out of Jail Free Card
Permitted Items in Legal Agreement
Confidentiality and NDA Agreements
Non-Disclosure and Secrecy Agreements (NDA)
The Contract
Liability Issues
Negligence Claim
Plan for the Worst
Drafting Contracts
How Much to Charge?
Module 12 Review
Module 13 - Rules of Engagement
Rules of Engagement
Rules of Engagement (ROE)
Demo - OSSTMM Model
Scope of ROE
Steps for Framing ROE
Clauses in ROE
Demo - ScreenHunter Desktop Capture Tool
Module 13 Review
Module 14 - Penetration Testing Planning and Scheduling
Penetration Testing Planning and Scheduling
Test Plan
Purpose of Test Plan
Building a Penetration Test Plan
Demo - Overview OSSTMM
IEEE STD. 829�1998 SECTION HEADINGS
Test Plan Identifier
Test Deliverables
Penetration Testing Planning Phase
Define the Scope
Project Scope
When to Retest?
Responsibilities
Skills and Knowledge Required
Internal Employees
Penetration Testing Teams
Tiger Team
Building Tiger Team
Questions to Ask Before Hiring Consultants to the Tiger Team
Meeting With the Client
Kickoff Meeting
Penetration Testing Project Plan
Work Breakdown Structure or Task List
Penetration Testing Schedule
Penetration Testing Project Scheduling Tools
Test Plan Checklist
Penetration Testing Hardware/Software Requirements
EC-Council�s Vampire Box
Begin Penetration Testing
Demo - Installing Backtrack 4 into VMWare Environment
Module 14 Review
Module 15 - Customers and Legal Agreements
Pre-Penetration Testing Checklist
Demo - Pentest Checklist
Step 1: Gather Information about Client Organization�s History and Background
Step 2: Visit the Client Organization Premises
Step 3: List the Client Organization�s Penetration Testing Requirements
Step 4: Obtain Penetration Testing Permission from the Company�s Stakeholders
Step 5: Obtain Detailed Proposal of Test and Services that are Proposed to be carried out
Step 6: Identify the Office Space/Location your Team would be Working in for this Project
Step 7: Obtain Temporary Identity Cards from the Organization for the Team who is Involved in the Process
Step 8: Identify who will be Leading the Penetration Testing Project (Chief Penetration Tester)
Step 9: Request from the Client Organization the Previous Penetration Testing/Vulnerability Assessment Reports
Step 10: Prepare Rules of Engagement that Lists the Company�s Core Competencies/ Limitations/ Timescales
Step 11: Hire a Lawyer who Understands IT and can Handle your Penetration Testing Legal Documents
Step 12: Prepare PT Legal Document and get Vetted with your Lawyer
Step 13: Prepare Non Disclosure Agreement (NDA) and have the Client Sign them
Step 14: Obtain (if possible) Liability Insurance from a Local Insurance Firm
Step 15: Identify your Core Competencies/Limitations
Step 16: Allocate a Budget for the Penetration Testing Project ( X amount of $ )
Step 17: Prepare a Tiger Team
Step 18: List the Security Tools that you will be using for the Penetration Testing Project
Step 19: List the Hardware and Software Requirements for the Penetration Testing Project
Step 20: Identify the Clients Security Compliance Requirements
Step 21: List the Servers, Workstations, Desktops and Network Devices that need to be Tested
Step 22: Identify the Type of Testing that would be carried out - Black Box or White Box Testing
Step 23: Identify the Type of Testing that would be carried out - Announced/ Unannounced
Step 24: Identify Local Equipment Required for Pen Test
Step 25: Identify Local Manpower Required for Pen Test
Step 26: List the Contact Details of Personnel from Client Organization who will be in Charge of the Pen Test
Step 27: Obtain the Contact Details of the Key Personnel for Approaching in case of an Emergency
Step 29: List the Tests that will not be carried out at the Client Network
Step 30: Identify the Purpose of the Test you are carrying out at the Client Organization
Step 31: Identify the Network Topology in which the Test would be carried out
Step 32: Obtain Special Permission if Required from Local Law Enforcement Agency
Step 33: List known Waivers/Exemptions
Step 34: List the Contractual Constraints in the Penetration Testing Agreement
Step 35: Identify the Reporting Timescales with the Client Organization
Step 36: Identify the List of Penetration Testers Required for this Project
Step 37: Negotiate per Day/per Hour Fee that you will be Charging for the Penetration Testing Project
Step 38: Draft the Timeline for the Penetration Testing Project
Step 39: Draft a Quotation for the Services that you\'ll be Providing to the Client Organization
Step 40: Identify how the Final Penetration Testing Report will be Delivered to the Client Organization
Step 41: Identify the Reports to be Delivered After Pen Test
Step 42: Identify the Information Security Administrator who will be helping you in the Penetration Testing
Module 15 Review
Module 16 - Information Gathering
Information Gathering
What is Information Gathering?
Information Gathering Steps
Step 1: Crawl the Website and Mirror the Pages on Your PC
Demo - HTTrack Website Copier
Step 2: Crawl the FTP Site and Mirror the Pages on Your PC
Demo - Wget and Backtrack 4 Live CD
Step 3: Look up Registered Information in the Whois Database
Demo - CentralOps and Domains by Proxy
Demo - Backtrack and Whois
Step 4: List the Products Sold by the Company
Demo - Firecat (Firefox Addons)
Step 5: List the Contact Information, Email Addresses, and Telephone Numbers
Step 6: List the Company�s Distributors
Step 7: List the Company�s Partners
Demo - Email Spider
Step 8: Search the Internet, Newsgroups, Bulletin Boards, Negative Websites for Information about the Company
Demo - Maltego
Step 9: Search for Trade Association Directories
Step 10: Search for Link Popularity of Company Website
Demo - Alexa
Step 11: Compare Price of Product or Service with the Competitor
Step 12: Find the Geographical Location
Demo - Shazou
Use Google Map to Find Geographical Location
Step 13: Search the Internet Archive Pages about the Company
Demo - Archive.org
Step 14: Search Similar or Parallel Domain Name Listings
Demo - ServerSniff TLDs
Step 15: Search Job Posting Sites about the Company
Step 16: Browse Social Network Websites
Demo - Social Networking
Step 17: Write Down Key Employees
Step 18: Investigate Key Persons � Searching in Google, Look up their Resumes and Cross Link Information
Step 19: List Employee Company and Personal Email Address
Step 20: Search for Web Pages Posting Patterns and Revision Numbers
Demo - No Tech Hacking
Step 21: Email the Employee Disguised as Customer Asking for Quotation
Step 22: Visit the Company as Inquirer and Extract Privileged Information
Step 23: Visit the Company Locality
Step 24: Use Web Investigation Tools to Extract Sensitive Data Targeting the Company
Step 25: Use Intelius and Conduct Background Check on Company Key Personnel
Step 26: Search on eBay for Company�s Presence
Step 27: Use the Domain Research Tool to Investigate the Company�s Domain
Step 28: Use the EDGAR Database to Research Company Information
Step 34: Use GHDB and Search for the Company Name
Demo - Summary
Demo - Vmware 64bit Error Fix
Demo - SEAT
Demo - Metagoofil Search
Demo - CORE Impact Email Info Gathering
Module 16 Review
Module 17 - Vulnerability Analysis
Vulnerability Analysis
Why Assess?
Vulnerability Classification
What is Vulnerability Assessment?
Demo - Vulnerability Research Resources
Demo - Nessus 4 Windows Install and Wikto Scan Webgoat
Types of Vulnerability Assessment
Demo - Nessus 3 Webgoat Scan BT4
Demo - Nessus 4 Webgoat Scan
Demo - GFI LANguard
How to Conduct a Vulnerability Assessment
How to Obtain a High Quality Vulnerability Assessment
Vulnerability Assessment Phases
Pre-Assessment Phase
Assessment Phase
Post-Assessment Phase
Vulnerability Analysis Stages
Comparing Approaches to Vulnerability Assessment
Characteristics of a Good Vulnerability Assessment Solution
Vulnerability Assessment Considerations
Vulnerability Assessment Reports
Demo - Nessus 3 BT Exporting NBE Report
Vulnerability Report Model
Timeline
Types of Vulnerability Assessment Tools
Choosing a Vulnerability Assessment Tool
Vulnerability Assessment Tools Best Practices
Vulnerability Assessment Tools
Demo - Retina Security Scanner
Other Vulnerability Tools
Report
Vulnerability Assessment Reports
Automated Scanning Server Reports
Periodic Vulnerability Scanning Report
Module 17 Review
Module 18 - External Penetration Testing
External Penetration Testing
Penetration Testing Roadmap
External Intrusion Test and Analysis
How is it Done?
Client Benefits
External Penetration Testing
Steps � Conduct External Penetration Testing
Demo - CORE Impact Network Vulnerability Test
Demo - Samaurai Live CD Intro
Step 1: Inventory Company�s External Infrastructure
Step 2: Create Topological Map of the Network
Step 3: Identify the IP Address
Step 4: Locate the Traffic Route that Goes to the Web Servers
Step 5/6: Locate TCP/UDP Traffic Path to the Destination
Step 7: Identify the Physical Location of the Target Servers
Step 8: Examine the Use IPV6 at the Remote Location
Step 9: Lookup Domain Registry for IP Information
Step 10: Find IP Block Information about the Target
Step 11: Locate the ISP Servicing the Client
Step 12: List Open Ports
Open Ports on Web Server
Step 13: List Closed Ports
Port Scanning Tools
Step 14: List Suspicious Ports that are Half Open/Closed
Step 15: Port Scan Every Port (65,536) on the Target�s Network
Step 16: Use SYN Scan on the Target and See the Response
Step 17: Use Connect Scan on the Target and See the Response
Demo - N-stalker Results Webgoat
Demo - Breaking Access Control Passwords with Xhydra
Demo - Viewing Website with Telnet
Demo - Input-injection Attack
Demo - Fast-track Overview and Install
Demo - Fast-track Exploits
Demo - Fast-track Clientside Attacks
Demo - Fast-track Mass Attack
Module 18 Review
Module 19 - Internal Network Penetration Testing
Internal Network Penetration Testing
Penetration Testing Roadmap
Internal Testing
Methods of Internal Testing
Enumerate Other Machines
Step 1: Map the Internal Network
Demo - Spiceworks Inventory
Step 2: Scan the Network for Live Hosts
Demo - SNMP Enumerating with BT
Demo - FireScope MIB Tool
Step 3: Port Scan Individual Machines
Step 4: Try to Gain Access Using Known Vulnerabilities
Demo - SMB NAT Dictionary Attacks
Demo - Injecting the Abel Service
Demo - Nslookup DNS Zone Transfer
Step 5: Attempt to Establish Null Sessions
Demo - Enumerate Banners
Demo - Null Session Multiple Tools
Demo - Null Session Countermeasures
Step 6: Enumerate Users
Step 7: Sniff the Network Using Wireshark
Step 8: Sniff Pop3/FTP/Telnet Passwords
Step 9: Sniff Email Messages/VoIP Traffic
Sniffer Tools
Demo - ARP Poisoning with Cain
Step 10: Attempt Replay Attacks
Demo - SSL MITM
Step 11: Attempt ARP Poisoning
Step 11a: Attempt Mac Flooding
Step 12: Conduct a Man-in-the Middle Attack
Step 13: Attempt DNS Poisoning
Demo - Cain DNS Spoof
Step 14: Try a Login to a Console Machine
Step 15: Boot the PC Using Alternate OS and Steal the SAM File
Demo - Local Password Reset
Demo - Backtrack Local XP Password Attack
Copying Commands in Knoppix
ERD Commander 2005
Reset Administrator Password
Step 16: Attempt to Plant a Software Keylogger to Steal Passwords
Keyloggers and Spy Software
Demo - Hardware Keystroke Loggers
Step 17: Attempt to Plant a Hardware Keylogger to Steal Passwords
Step 18: Attempt to Plant a Spyware on the Target Machine
Step 19: Attempt to Plant a Trojan on the Target Machine
Step 20: Attempt to Create a Backdoor Account on the Target Machine
Demo - Secure Tunnels and Anonymizer Techniques
Step 21: Attempt to Bypass Anti-virus Software Installed on the Target Machine
Demo - Stealth Tools v2 to Hide Viruses and Malware
Step 22: Attempt to Send Virus Using the Target Machine
Step 23: Attempt to Plant Rootkits on the Target Machine
Demo - Dreampakpl Rootkit
Step 24: Hide Sensitive Data on Target Machines
Demo - Alternate Data Streams
Step 25: Hide Hacking Tools and Other Data in Target Machines
Step 26: Use Various Steganography Techniques to Hide Files on Target Machine
Demo - Steganography
Step 27: Escalate User Privileges
Demo - Privilege Escalation
Step 28: Capture POP3 Traffic
Step 29: Capture SMTP Traffic
Step 32: Capture HTTP Traffic
Step 33: Capture HTTPS Traffic (Even Though it cannot be Decoded)
Step 34: Capture RDP Traffic
Step 35: Capture VoIP Traffic
Demo - Cain VoIP RDP Interception
Steps 40 and 41
Step 42: Attempt Session Hijacking on Telnet Traffic
Steps 43 and 44
Continue Testing
CORE Impact - Automated Tool
Metasploit - Tool
Canvas � Automated Tool
Vulnerability Scanning Tools
Document Everything
Module 19 Review
Module 20 - Router and Switches Penetration Testing
Router and Switches Penetration Testing
Demo - Cain and Abel Routing Protocols and ID Networks
Penetration Testing Roadmap
Router Testing Issues
Need for Router Testing
General Requirements
Technical Requirements
Try to Compromise t
