Description
Course Outline
Module 1: The Need for Security Analysis
What Are We Concerned About?
So What Are You Trying To Protect?
Why Are Intrusions So Often Successful?
What Are The Greatest Challenges?
Environmental Complexity
New Technologies
New Threats, New Exploits
Limited Focus
Limited Expertise
Authentication
Authorization
Confidentiality
Integrity
Availability
Nonrepudiation
We Must Be Diligento:p>
Threat Agents
Assessment Questions
How Much Security is Enough?
Risk
Simplifying Risk
Risk Analysis
Risk Assessment Answers Seven Questions
Steps of Risk Assessment
Risk Assessment Values
Information Security Awareness
Security policies
Types of Policies
Promiscuous Policy
Permissive Policy
Prudent Policy
Paranoid Policy
Acceptable-Use Policy
User-Account Policy
Remote-Access Policy
Information-Protection Policy
Firewall-Management Policy
Special-Access Policy
Network-Connection Policy
Business-Partner Policy
Other Important Policies
Policy Statements
Basic Document Set of Information Security Policies
ISO 17799
Domains of ISO 17799
No Simple Solutions
U.S. Legislation
California SB 1386
Sarbanes-Oxley 2002
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
USA Patriot Act 2001
U.K. Legislation
How Does This Law Affect a Security Officer?
The Data Protection Act 1998
The Human Rights Act 1998
Interception of Communications
The Freedom of Information Act 2000
The Audit Investigation and Community Enterprise Act 2005
Module 2: Advanced Googling
Site Operator
intitle:index.of
error | warning
login | logon
username | userid | employee.ID | “your username is”
password | passcode | “your password is”
admin | administrator
admin login
-ext:html -ext:htm -ext:shtml -ext:asp -ext:php
inurl:temp | inurl:tmp | inurl:backup | inurl:bak
intranet | help.desk
Locating Public Exploit Sites
Locating Exploits Via Common Code Strings
Searching for Exploit Code with Nonstandard Extensions
Locating Source Code with Common Strings
Locating Vulnerable Targets
Locating Targets Via Demonstration Pages
“Powered by” Tags Are Common Query Fodder for Finding Web Applications
Locating Targets Via Source Code
Vulnerable Web Application Examples
Locating Targets Via CGI Scanning
A Single CGI Scan-Style Query
Directory Listings
Finding IIS 5.0 Servers
Web Server Software Error Messages
IIS HTTP/1.1 Error Page Titles
“Object Not Found” Error Message Used to Find IIS 5.0
Apache Web Server
Apache 2.0 Error Pages
Application Software Error Messages
ASP Dumps Provide Dangerous Details
Many Errors Reveal Pathnames and Filenames
CGI Environment Listings Reveal Lots of Information
Default Pages
A Typical Apache Default Web Page
Locating Default Installations of IIS 4.0 on Windows NT 4.0/OP
Default Pages Query for Web Server
Outlook Web Access Default Portal
Searching for Passwords
Windows Registry Entries Can Reveal Passwords
Usernames, Cleartext Passwords, and Hostnames!
Module 3: TCP/IP Packet Analysis
TCP/IP Model
Application Layer
Transport Layer
Internet Layer
Network Access Layer
Comparing OSI and TCP/IP
Addressing
IPv4 Addresses
IP Classes of Addresses
Reserved IP Addresses
Private Addresses
Subnetting
IPv4 and IPv6
Transport Layer
Flow Control
Three-Way Handshake
TCP/IP Protocols
TCP Header
IP Header
IP Header: Protocol Field
UDP
TCP and UDP Port Numbers
Port Numbers
TCP Operation
Synchronization or 3-way Handshake
Denial of Service (DoS) Attacks
DoS Syn Flooding Attack
Windowing
Acknowledgement
Windowing and Window Sizes
Simple Windowing
Sliding Windows
Sequencing Numbers
Positive Acknowledgment and Retransmission (PAR)
UDP Operation
Port Numbers Positioning between Transport and Application Layer (TCP and UDP)
Port Numbers
http://www.iana.org/assignments/port-numbers
What Makes Each Connection Unique?
Internet Control Message Protocol (ICMP)
Error Reporting and Error Correction
ICMP Message Delivery
Format of an ICMP Message
Unreachable Networks
Destination Unreachable Message
ICMP Echo (Request) and Echo Reply
Detecting Excessively Long Routes
IP Parameter Problem
ICMP Control Messages
ICMP Redirects
Clock Synchronization and Transit Time Estimation
Information Requests and Reply Message Formats
Address Masks
Router Solicitation and Advertisement
Module 4: Advanced Sniffing Techniques
What is Wireshark?
Wireshark: Filters
IP Display Filters
Example
Wireshark: Tshark
Wireshark: Editcap
Wireshark: Mergecap
Wireshark: Text2pcap
Using Wireshark for Network Troubleshooting
Network Troubleshooting Methodology
Using Wireshark for System Administration
ARP Problems
ICMP Echo Request/Reply Header Layout
TCP Flags
TCP SYN Packet Flags Bit Field
Capture Filter Examples
Scenario 1: SYN no SYN+ACK
Scenario 2: SYN Immediate Response RST
Scenario 3: SYN SYN+ACK ACK
Using Wireshark for Security Administration
Detecting Internet Relay Chat Activity
Wireshark as a Detector for Proprietary Information Transmission
Sniffer Detection
Wireless Sniffing with Wireshark
AirPcap
Using Channel Hopping
Interference and Collisions
Recommendations for Sniffing Wireless
Analyzing Wireless Traffic
IEEE 802.11 Header
IEEE 802.11 Header Fields
Filters
Filtering on Source MAC Address and BSSID
Filtering on BSSID
Filter on SSID
Wireless Frame Types Filters
Unencrypted Data Traffic
Identifying Hidden SSIDs
Revealed SSID
Identifying EAP Authentication Failures
Identifying the EAP Type
Identifying Key Negotiation Properties
EAP Identity Disclosure
Identifying WEP
Identifying TKIP and CCMP
Identifying IPSec/VPN
Decrypting Traffic
Scanning
TCP Connect Scan
SYN Scan
XMAS Scan
Null Scan
Remote Access Trojans
NetBus Analysis
Trojan Analysis Example NetBus Analysis
Module 5: Vulnerability Analysis with Nessus
Nessus
Features of Nessus
Nessus Assessment Process
Nessus: Scanning
Nessus: Enumeration
Nessus: Vulnerability Detection
Configuring Nessus
Updating Nessus Plug-Ins
Using the Nessus Client
Starting a Nessus Scan
Generating Reports
Data Gathering
Host Identification
Port Scan
SYN scan
Timing
Port Scanning Rules of Thumb
Plug-in Selection
Dangerous plugins
Scanning Rules of Thumb
Report Generation
Reports: Result
Identifying False Positives
Suspicious Signs
False Positives
Examples of False Positives
Writing Nessus Plugins
Writing a Plugin
Installing and Running the Plugin
Nessus Report with output from our plugin
Security Center http://www.tenablesecurity.com
Module 6: Advanced Wireless Testing
Wireless Concepts
Wireless Concepts
802.11 Types
Core Issues with 802.11
What’s the Difference?
Other Types of Wireless
Spread Spectrum Background
Channels
Access Point
Service Set ID
Default SSIDs
Chipsets
Wi-Fi Equipment
Expedient Antennas
Vulnerabilities to 802.1x and RADIUS
Wired Equivalent Privacy
Security – WEP
Wired Equivalent Privacy
Exclusive OR
Encryption Process
Chipping Sequence
WEP Issues
WEP – Au
thentication Phase
WEP – Shared Key Authentication
WEP – Association Phase
WEP Flaws
WEP Attack
WEP: Solutions
WEP Solution – 802.11i
Wireless Security Technologies
WPA Interim 802.11 Security
WPA
802.1X Authentication and EAP
EAP Types
Cisco LEAP
TKIP (Temporal Key Integrity Protocol)
Wireless Networks Testing
Wireless Communications Testing
Report Recommendations
Wireless Attack Countermeasures
Wireless Penetration Testing with Windows
Attacks And Tools
War Driving
The Jargon – WarChalking
WarPumpkin
Wireless: Tools of the Trade
Mapping with Kismet
WarDriving with NetStumbler
How NetStumbler Works?
“Active” versus “Passive” WLAN Detection
Disabling the Beacon
Running NetStumbler
Captured Data Using NetStumbler
Filtering by Channels
Airsnort
WEPCrack
Monkey-Jack
How Monkey-Jack Works
Before Monkey-Jack
After Monkey-Jack
AirCrack-ng
How Does It Work?
FMS and Korek Attacks
Crack WEP
Available Options
Usage Examples
Cracking WPA/WPA2 Passphrases
Notes
Determining Network Topology: Network View
WarDriving and Wireless Penetration Testing with OS X
What is the Difference between “Active” and “Passive” Sniffing?
Using a GPS
Attacking WEP Encryption with KisMAC
Deauthenticating Clients
Attacking WPA with KisMAC
Brute-force Attacks Against 40-bit WEP
Wordlist Attacks
Mapping WarDrives with StumbVerter
MITM Attack basics
MITM Attack Design
MITM Attack Variables
Hardware for the Attack Antennas, Amps, WiFi Cards
Wireless Network Cards
Choosing the Right Antenna
Amplifying the Wireless Signal
Identify and Compromise the Target Access Point
Compromising the Target
Crack the WEP key
Aircrack-ng Cracked the WEP Key
The MITM Attack Laptop Configuration
IP Forwarding and NAT Using Iptables
Installing Iptables and IP Forwarding
Establishing the NAT Rules
Dnsmasq
Configuring Dnsmasq
Apache Web Servers
Virtual Directories
Clone the Target Access Point and Begin the Attack
Start the Wireless Interface
Deauthenticate Clients Connected to the Target Access Point
Wait for the Client to Associate to Your Access Point
Spoof the Application
Modify the Page
Example Page
Login/php page
Redirect Web Traffic Using Dnsmasq
Module 7: Designing a DMZ
Introduction
DMZ Concepts
Multitiered Firewall With a DMZ Flow
DMZ Design Fundamentals
Advanced Design Strategies
Designing Windows DMZ
Designing Windows DMZ
Precautions for DMZ Setup
Security Analysis for the DMZ
Designing Sun Solaris DMZ
Placement of Servers
Advanced Implementation of a Solaris DMZ Server
Solaris DMZ Servers in a Conceptual Highly Available Configuration
Private and Public Network Firewall Ruleset
DMA Server Firewall Ruleset
Solaris DMZ System Design
Disk Layout and Considerations
Designing Wireless DMZ
Placement of Wireless Equipment
Access to DMZ and Authentication Considerations
Wireless DMZ Components
Wireless DMZ Using RADIUS to Authenticate Users
WLAN DMZ Security Best-Practices
DMZ Router Security Best-Practice
DMZ Switch Security Best-Practice
Six Ways to Stop Data Leaks
Reconnex
Module 8: Snort Analysis
Snort Overview
Modes of Operation
Features of Snort
Configuring Snort
Variables
Preprocessors
Output Plugins
Rules
Working of Snort
Initializing Snort
Signal Handlers
Parsing the Configuration File
Decoding
Possible Decoders
Preprocessing
Detection
Content Matching
Content-Matching Functions
The Stream4 Preprocessor
Inline Functionality
Writing Snort Rules
Snort Rule Header
Snort Rule Header: Actions
Snort Rule Header: Other Fields
IP Address Negation Rule
IP Address Filters
Port Numbers
Direction Operator
Rule Options
Activate/Dynamic Rules
Meta-Data Rule Options: msg
Reference Keyword
sid/rev Keyword
Classtype Keyword
Payload Detection Rule Options: content
Modifier Keywords
Offset/depth Keyword
Uricontent keyword
fragoffset keyword
ttl keyword
id keyword
flags keyword
itype keyword : icmp id
Writing Good Snort Rules
Sample Rule to Catch Metasploit Buffer Overflow Exploit
Tool for writing Snort rules: IDS Policy Manager
Subscribe to Snort Rules
Honeynet Security Console Tool
Key Features
Module 9: Log Analysis
Introduction to Logs
Types of Logs
Events that Need to be Logged
What to Look Out For in Logs
W3C Extended Log File Format
Automated Log Analysis Approaches
Log Shipping
Analyzing Syslog
Syslog
Setting up a Syslog
Syslog: Enabling Message Logging
Main Display Window
Configuring Kiwi Syslog to Log to a MS SQL Database
Configuring Ethereal to Capture Syslog Messages
Sending Log Files via email
Configuring Cisco Router for Syslog
Configuring DLink Router for Syslog
Configuring Cisco PIX for Syslog
Configuring an Intertex / Ingate/ PowerBit/ SurfinBird ADSL router
Configuring a LinkSys wireless VPN Router
Configuring a Netgear ADSL Firewall Router
Analyzing Web Server Logs
Apache Web Server Log
AWStats
Configuring AWStats for IIS
Log Processing in AWStats
Analyzing Router Logs
Router Logs
Analyzing Wireless Network Devices Logs
Wireless Traffic Log
Analyzing Windows Logs
Configuring Firewall Logs in Local Windows System
Viewing Local Windows Firewall Log
Viewing Windows Event Log
AAnalyzing Linux Logs
iptables
Log Prefixing with iptables
Firewall Log Analysis with grep
Analyzing SQL Server Logs
SQL Database Log
ApexSQL Log
Configuring ApexSQL Log
Analyzing VPN Server Logs
VPN Client Log
Analyzing Firewall Logs
Why Firewall Logs are Important
Firewall Log Sample
ManageEngine Firewall Analyzer
Installing Firewall Analyzer
Viewing Firewall Analyzer Reports
Firewall Analyzer Log Reports
Analyzing IDS Logs
SnortALog
IDS Log Sample
Analyzing DHCP Logs
DHCP Log
NTP Configuration
Time Synchronization and Logging
NTP Overview
NTP Client Configuration
Configuring an NTP client using the Client Manager
Configuring an NTP Server
NTP: Setting Local Date and Time
Log Analysis Tools
All-Seeing Eye Tool: Event Log Tracker
Network Sniffer Interface Test Tool
Syslog Manager 2.0.1
Sawmill
WALLWATCHER
Log Alert Tools
Network Eagle Monitor
Network Eagle Monitor: Features
SQL Server Database Log Navigator
What Log Navigator does?
How Does Log Navigator Work?
Snortsnarf
Types of Snort Alarms
ACID (Analysis Console for Intrusion Databases)
Module 10: Advanced Exploits and Tools
Common Vulnerabilities
Buffer Overflows Revisited
Smashing the Stack for Fun and Profit
Smashing the Heap for Fun and Profit
Format Strings for Chaos and Mayhem
The Anatomy of an Exploit
Vulnerable code
Shellcoding
Shellcode Examples
Delivery Code
Delivery Code: Example
Linux Exploits Versus Windows
Windows Versus Linux
Tools of the Trade: Debuggers
Tools of the Trade: GDB
Tools of the Trade: Metasploit
Metasploit Frame work
User-Interface Modes
Metasploit: Environment
Environment: Global Environment
Environment: Temporary Environment
Metasploit: Options
Metasploit: Commands
Metasploit: Launching the Exploit
MetaSploit: Advanced Features
Tools of the Trade: Canvas
Tools of the Trade: CORE Impact
IM
PACT Industrializes Penetration Testing
Ways to Use CORE IMPACT
Other IMPACT Benefits
ANATOMY OF A REAL-WORLD ATTACK
CLIENT SIDE EXPLOITS
Impact Demo Lab
Module 11: Penetration Testing Methodologies
Module 12: Customers and Legal Agreements
Module 13: Penetration Testing Planning and Scheduling
Module 14: Pre Penetration Testing Checklist
Module 15: Information Gathering
Module 16: Vulnerability Analysis
Module 17: External Penetration Testing
Module 18: Internal Network Penetration Testing
Module 19: Router Penetration Testing
Module 20: Firewall Penetration Testing
Module 21: IDS Penetration Testing
Module 22: Wireless Network Penetration Testing
Module 23: Denial of Service Penetration Testing
Module 24: Password Cracking Penetration Testing
Module 25: Social Engineering Penetration Testing
Module 26: Stolen Laptop Penetration Testing
Module 27: Application Penetration Testing
Module 28: Physical Security Penetration Testing
Module 29: Database Penetration Testing
Module 30: VoIP Penetration Testing
Module 31: VPN Penetration Testing
Module 32: Penetration Testing Report Analysis
Module 33: Penetration Testing Report and Documentation Writing
Module 34: Penetration Testing Deliverables and Conclusion
Module 35: Ethics of a Licensed Penetration Tester