1. SkriptJack
2. M01 - Business and Technical Logistics of PT
2.1. Types of Hackers
2.1.1. white hat
2.1.1.1. Defensive hacker assigned to attack companies in order to improve their defense and security
2.1.2. gray hat
2.1.2.1. Hacker plays mainly a defensive role but sometimes uses his/her knowledge for black hat purposses
2.1.3. black hat
2.1.3.1. Offensive hacker who attacks with intention of unauthorized theft or destruction of data
2.2. Types of attacks
2.2.1. Operating System attacks
2.2.2. Application-level attacks
2.2.3. Shrink wrap code attacks
2.2.4. Misconfiguration attacks
2.3. Functionality, and Ease of Use Triangle
2.4. Security testing - hint: boxes
2.4.1. White box
2.4.2. Black box
2.4.2.1. You know only the company name
2.4.3. gray box
2.5. Passive information gathering
2.6. Active information gathering
2.7. Attack Phases
2.7.1. Reconnaissance
2.7.2. Scanning
2.7.3. Gaining Access
2.7.4. Maintaining Access
2.7.5. Covering Tracks
2.8. Elements of Security
3. M02 - Information Gathering
3.1. Passive Information Gathering
3.1.1. Whois
3.1.2. Google
3.1.3. www.archive.org
3.1.4. ICANN
3.1.4.1. ARIN
3.1.4.2. RIPE ncc
3.1.4.3. LACNIC
3.1.4.4. AfriNIC
3.1.4.5. APNIC
3.1.5. www.centralops.net
3.1.6. DNS
3.1.6.1. DNS - SOA lower at target - Tools used NSlookup, Sam Spade, Dig, Host - RR Records contain NS, SOA, A & MX
3.1.7. Traceroute
3.2. Competitive Intelligence Gathering
3.2.1. Data Gathering
3.2.2. Data Analysis
3.2.3. Information Verification
3.2.4. Information Security
3.3. Social Engineering
3.3.1. Types of social engineering
3.3.1.1. Reciprocation
3.3.1.2. Consistency
3.3.1.3. Social Validation
3.3.1.4. Liking
3.3.1.5. Authority
3.3.1.5.1. Human-based Social Engineering
3.3.1.6. Scarity
3.3.2. Tactic or Trick of gaining sensitive information
3.3.2.1. Trust
3.3.2.2. Fear
3.3.2.3. Desire to Help
3.3.2.4. Social Engineers attempt to gather information such as
3.3.2.4.1. Sensitive information
3.3.2.4.2. Authorization details
3.3.2.4.3. Access Details
3.3.3. Computer based Social Engineering
3.3.3.1. Pop-up Windows
3.3.3.2. Mail Attachments
3.3.3.3. Websites
3.3.3.4. Hoaxes and Chain letters
3.3.3.5. Instant Chat messenger
3.3.3.6. SPAM email
3.3.3.7. Phising
3.3.4. Common targets
3.3.4.1. Receptionist and help desk personnel
3.3.4.2. Technical Support executives
3.3.4.3. Vendors of target organisation
3.3.4.4. System administrators and users
3.3.5. Behaviors Vulnerable to Attacks
3.3.5.1. Trust
3.3.5.2. Ignorance
3.3.5.3. Fear
3.3.5.4. Greed
3.3.5.5. Moral Duty
3.3.6. Insider attack
3.3.6.1. Disgruntled Employee
3.3.6.2. Preventing Insider Thread
3.3.6.2.1. Separation of Duties
3.3.6.2.2. Rotation of duties
3.3.6.2.3. Least privilege
3.3.6.2.4. Controlled Access
3.3.6.2.5. Logging and Auditing
3.3.6.2.6. Legal policies
3.3.6.2.7. Archive critical data
3.3.7. Countermeasures
3.3.7.1. Classification of information
3.3.7.2. Access privileges
3.3.7.3. Background check o employees and proper termination process
3.3.7.4. Proper incidence response system
4. M03 - Linux Fundamentals
5. M04 - Detecting Live Systems
5.1. Scanning
5.1.1. ICMP
5.1.1.1. request
5.1.1.1.1. type 8
5.1.1.2. reply
5.1.1.2.1. type 0
5.1.1.3. TTL Exeeded
5.1.1.3.1. type 11
5.1.1.4. destination unreachable
5.1.1.4.1. type 3
5.1.2. TCP
5.1.2.1. Three way handshake
5.1.2.2. communication flags
5.1.2.2.1. SYN
5.1.2.2.2. ACK
5.1.2.2.3. PSH
5.1.2.2.4. URG
5.1.2.2.5. FIN
5.1.2.2.6. RST
5.1.3. UDP
5.1.4. Nmap
5.1.4.1. Nmap commands
5.1.4.1.1. scans
5.1.4.1.2. verbose
5.1.4.1.3. speeds
5.1.5. An attacker an not simply Spoof his IP address and expect to able to scan or access a network in detected.
5.1.6. If A system Ilicits no Response: * UDP is filted by a gateway * The host might be down * The destination network might be down * ICMP is filtered by a gateway
5.1.7. After Portscanning, an attacker grabs the banner of an open port to know the services running on each port.
5.1.8. TCP Connect scan is the most reilable scan
5.1.9. War Dialing allows circumvention of protection mechanisms by being on the internal network
5.1.10. www.networkuptime.net/nmap/index.shtml
6. M05 - Reconnaissance
6.1. NetBIOS null sessions
6.1.1. used ports
6.1.1.1. 139
6.1.1.2. 445
6.1.2. check for
6.1.2.1. Windows: net use \\victim\ipc$ "/user:" ""
6.2. Banner grabbing
6.3. Tools to enumerate a system
6.3.1. IP-Tools
6.3.2. DumpSec
6.3.3. getif
6.3.4. winfo.exe
6.4. Data retrievable with Enumeration
6.4.1. usernames
6.4.2. usergroups
6.4.3. shares
6.4.4. password policy
6.4.4.1. min length
6.4.4.2. lockout threshold
6.4.4.3. min age
6.4.4.4. max age
6.4.4.5. lockout duration
6.4.4.6. lockout reset
6.4.5. SID of administrator
6.4.6. password guessing
7. M07 - Vulnerability Assessments
8. M08 - Malware - Software Goes Undercover
8.1. Trojans & Backdoors
8.1.1. Overt channel
8.1.2. Covert channel
8.1.3. Types of Trojans
8.1.3.1. Remote Access
8.1.3.2. Data-Sending
8.1.3.3. Destructive
8.1.3.4. Denial-of-Service
8.1.3.5. Proxy
8.1.3.6. FTP
8.1.3.7. Security Software Disablers
8.1.4. Attack vectors
8.1.4.1. Instant Messaging
8.1.4.2. IRC (Internet Relay Chat)
8.1.4.3. Via Attachments
8.1.4.4. Physical Access
8.1.4.5. Browser and Email Bugs
8.1.4.6. NetBIOS
8.1.4.7. Fake Programs
8.1.4.8. Suspicious Sites and Freeware Software
8.1.5. Working of Trojans
8.1.5.1. Client Server model
8.1.5.2. Command and control channel
8.1.5.2.1. IRC
8.1.5.2.2. ICQ
8.1.5.2.3. HTTP
8.1.5.2.4. RSS
8.1.6. Questions
8.1.6.1. Tini
8.1.6.1.1. 7777
8.1.6.1.2. It's tiny
8.1.6.1.3. 3kb
8.1.6.2. NetCat
8.1.6.2.1. Cyptcat is Netcat with encryption
8.1.6.3. BackOrifice
8.1.6.3.1. port numbers 31337/31338
8.1.6.4. Sub7
8.1.6.4.1. ports 6711,6712,6713
8.1.6.5. NetBus
8.1.6.5.1. ports 12345/12346
8.1.6.6. Beast
8.1.6.6.1. It's a royal pain in the ass
8.1.6.6.2. remove by running a beast server and tell the client to disable itself
8.1.6.7. Loki
8.1.6.7.1. written in deamon9
8.1.6.7.2. access over ICMP
8.1.6.7.3. UDP 53
8.1.7. Detect trojans
8.1.7.1. Netstat
8.1.7.2. Fport
8.1.7.3. TCPview
8.1.7.4. Process viewer
8.1.7.5. What's on my computer
8.1.7.6. Insider
8.1.7.7. Ethereal/Wireshark
8.1.7.8. Currports
8.1.7.9. autoruns
8.1.7.10. msconfig
8.1.7.11. Tripwire
8.1.7.11.1. System intergrity verifier
8.2. Bufferoverflows
8.2.1. Questions
8.2.1.1. String copy
8.2.2. Types
8.2.2.1. Stack-based
8.2.2.2. Heap/BSS-based
8.2.3. Understanding Assembly Language
8.2.3.1. Push pointers
8.2.3.2. Pop pointers
8.2.3.3. Different pointers
8.2.3.3.1. EIP
8.2.3.3.2. ESP
8.2.3.3.3. EBP
8.2.4. Example site/Links
8.2.4.1. nopsr.us
8.2.4.1.1. REALLY GEEKY
8.2.4.2. http://www.isg.rhul.ac.uk/files/Countermeasures.pdf
8.2.5. Howto detect BO's in a program
8.2.5.1. Use a fuzzer
8.2.5.2. Look at the source code
8.2.6. NOPS
8.2.6.1. also called Null Bytes
8.2.6.2. x90
8.2.6.3. _86
8.2.7. Canary word important for exam
8.3. Denial of Service
8.3.1. Are DOS attacks on the rise?
8.3.1.1. August 15 2003, Mircosoft.com falls to a DOS attack. It lasts 2 hours
8.3.1.2. March 27 2003, 15:09 GMT, AlJazeera's English website coming online hours after a DOS attack hit.
8.3.2. Goal of DOS
8.3.2.1. Attackers flood a network, thereby preventing legitimate network traffic
8.3.2.2. Disrupt connections
8.3.2.3. Prevent individuals from accessing a service
8.3.2.4. Disrupt services
8.3.3. Impact and the modes of attack
8.3.3.1. Network connectivity
8.3.3.2. Misuse of Internal resources
8.3.3.3. Bandwith consumption
8.3.3.4. Consumption of other resources
8.3.3.5. Destruction or alteration of configuration information
8.3.4. Types of attacks
8.3.4.1. DOS
8.3.4.1.1. DOS Tools
8.3.4.1.2. DOS attack classification
8.3.4.2. DDOS
8.3.4.2.1. DDOS attack classification
8.3.4.2.2. DDOS Tools
8.3.4.2.3. Tools to detect DDOS attacks
8.3.4.2.4. DDOS countermeasures
8.3.4.3. Reflected DOS attack
8.3.4.3.1. This is the next generation of DOS attacks. It uses the SYN flooding method, but with a twist. Instead of sending SYN packets to the server under attack it "reflects" them off any router or server connected to the internet.
8.3.4.3.2. The three way handshake is exploited
8.3.4.3.3. Any server could be used to send the packets
8.3.4.3.4. Countermeasures involve
8.3.5. Botnets
8.3.5.1. Uses of Botnet
8.3.5.1.1. DDOS attacks
8.3.5.1.2. Spamming
8.3.5.1.3. Sniffing traffic
8.3.5.1.4. Keylogging
8.3.5.1.5. Spreading new malware
8.3.5.1.6. Installing advertisement Addons
8.3.5.1.7. Google Adsense abuse
8.3.5.1.8. Attacking IRC chat networks
8.3.5.1.9. Manipulating online polls
8.3.5.1.10. Mass identity theft
8.3.5.2. Types of bots
8.3.5.2.1. Agobot/Phatbot/Fobot/XtremBot
8.3.5.2.2. SDBot/RBot/UrBot/UrXBot
8.3.5.2.3. mIRC-based Bots - GT-Bots
8.4. Virus and Worms
8.4.1. Diffirences
8.4.1.1. Worm
8.4.1.1.1. Propagates automatically
8.4.1.1.2. takes advantage of an Exploit
8.4.1.1.3. Special type of virus, that cannot attach to a program
8.4.1.2. Virus
8.4.1.2.1. Needs interaction to spread
8.4.1.2.2. Harder to remove
8.4.2. Questions
8.4.2.1. Macro virusses
8.4.2.2. Melissa virus
8.4.2.3. Diffirence between meta and polimophic virusses
8.4.2.4. History
8.4.2.5. What is a Sheep Dip
8.4.2.5.1. Way of testing virusses and what they do
8.4.2.6. How they propagate
8.4.2.7. Hoax virusses
8.4.2.8. EICAR.ORG has created a testvirus. Its a file called EICAR.COM
8.4.3. Virusses
8.4.3.1. Characteristics
8.4.3.1.1. Resides in memory
8.4.3.1.2. Some leave the memory after execution
8.4.3.1.3. Change themselves
8.4.3.1.4. Hide themselves
8.4.3.1.5. Damage
8.4.3.2. Types of infection
8.4.3.2.1. Stealth Virus
8.4.3.2.2. Polymorphic
8.4.3.2.3. Cavity virus
8.4.3.2.4. Tunneling virus
8.4.3.2.5. Camouflage virus
8.4.3.2.6. Metamorphic virus
8.4.3.2.7. difference between polymorphic and metamorphic
8.4.3.3. Classification
8.4.3.3.1. File virus
8.4.3.3.2. Macro virus
8.4.3.3.3. System sectors or boot virus
8.4.3.3.4. Source code virus
8.4.3.3.5. Network virus
9. M09 - Windows Hacking
10. M10 - Advanced Vulnerability & Exploitation Techniques
11. M12 - Networks -Sniffing - IDS
11.1. Sniffers
11.1.1. How a sniffer works
11.1.1.1. Shared Ethernet
11.1.1.2. Switched Ethernet
11.1.1.3. ARP spoofing
11.1.1.4. Mac flooding
11.1.2. Protocols vulnerable to sniffing
11.1.2.1. Cleartext protocols
11.1.2.1.1. HTTP
11.1.2.1.2. SMTP
11.1.2.1.3. NNTP
11.1.2.1.4. POP
11.1.2.1.5. FTP
11.1.2.1.6. IMAP
11.1.2.1.7. Telnet and Rlogin
11.1.3. Sniffers
11.1.3.1. The Dude Sniffer
11.1.3.2. Ethereal/Wireshark
11.1.3.3. tcpdump
11.1.4. Passive Sniffing
11.1.4.1. Through a Hub
11.1.5. Active Sniffing
11.1.5.1. ARP Spoofing
11.1.5.1.1. Tools
11.1.5.2. MAC flooding
11.1.5.2.1. Macof
11.1.5.2.2. Etherflood
11.1.5.3. MAC duplicating
11.1.5.4. Through a switch
11.1.5.5. DNSSpoofing
11.1.5.5.1. Types of DNSSpoofing
11.1.6. RAW Sniffing Tools
11.1.6.1. Sniffit
11.1.6.2. Aldebaran
11.1.6.3. Hunt
11.1.6.3.1. Also used for Session Hijacking
11.1.6.4. NGSSniff
11.1.6.5. NTOP
11.1.6.6. PF
11.1.6.7. IPTraf
11.1.6.8. EtherApe
11.1.6.9. Snort
11.1.6.10. Windump/tcpdump
11.1.6.11. Etherpeek
11.1.6.12. Mac Changer
11.1.6.13. IRIS
11.1.6.14. NetIntercept
11.1.6.15. WinDNSSpoof
11.1.6.16. TCPick
11.2. IDS
12. M13 - Attacking Databases
13. M14 - Attacking Web Technologies
13.1. Web Based Password Cracking
13.1.1. Authentication Mechanisms
13.1.1.1. HTTP authentication
13.1.1.1.1. Basic authentication
13.1.1.1.2. Digest authentication (challenge)
13.1.1.2. Integrated Windows (NTLM) Authentication
13.1.1.3. Negotiate Authentication
13.1.1.4. Certificate-based authentication
13.1.1.5. Forms-based authentication
13.1.1.6. Microsoft Passport Authentication
13.1.2. Types of Biometrics authentication
13.1.2.1. Face Recognition
13.1.2.2. Iris Scanning
13.1.2.3. Retina Scanning
13.1.2.4. Fingerprinting
13.1.2.5. Hand Geometry
13.1.2.6. Voice Recognition
13.1.3. Questions
13.1.3.1. Obiwan
13.1.3.2. John the ripper
13.1.3.3. Snadboy
13.1.3.4. L0phtcrack
13.1.3.5. Cain and Abel
13.1.3.6. Hydra
14. M15 - Documentation
15. M11 - Attacking Wireless Networks
15.1. Wireless vs Wired networks
15.1.1. Cost
15.1.2. Reliability
15.1.3. Performance
15.1.4. Security
15.2. Types of Wireless Networks
15.2.1. Peer-to-peer Networks
15.2.2. Extension to Wired Network
15.2.3. Multiple Access Points
15.2.4. LAN to LAN Wireless
15.3. Advantages of Wireless Network
15.3.1. Provides mobility to users
15.3.2. Easy connection
15.3.3. Initial cost to setup is low
15.3.4. Data cen be transmitted if diffirent ways. Cellular Networks, Mobitex, DataTAC, Cellular Digital Packet Data
15.3.5. Sharing of data is easy among wireless devices
15.4. Disadvantages of Wireless Network
15.4.1. No physical protection
15.4.2. The risk of sharing data is high as packets are being sent through the air.
15.5. Wireless Standards
15.5.1. IEEE 802.11
15.5.1.1. a
15.5.1.1.1. 40mhz to 5Ghz
15.5.1.1.2. More channels, high speeds, less interferance
15.5.1.1.3. Speed 54 mbps
15.5.1.2. b
15.5.1.2.1. "wifi" standard
15.5.1.2.2. 20mhz to 2.4Ghz
15.5.1.2.3. Protocol of WIFI recolution, defacto standard
15.5.1.3. n
15.5.1.3.1. Speed over 100 mbps
15.5.1.4. i
15.5.1.4.1. Improves WLAN security
15.5.1.4.2. Also uses WPA
15.5.1.5. g
15.5.1.5.1. Similar to b but faster
15.5.1.5.2. backward compatible with b
15.5.2. IEEE 802.16
15.5.2.1. Long distance
15.6. Related tech and Carrier netowkrs
15.6.1. CDPD
15.6.2. 1xRTT on CDMA
15.6.3. GPRS/GSM
15.6.4. FRS & GMRS
15.6.5. HPNA & Powerline Ethernet
15.6.6. 802.1x
15.6.7. BSS & IBSS
15.7. SSID
15.7.1. unique identifier
15.7.2. NOT SECURE ENOUGH
15.7.3. Beacon frames
15.7.3.1. Broadcast the SSID
15.7.4. Is it secret?
15.7.4.1. NO!
15.8. Terminology
15.8.1. WarWalking
15.8.2. Wardriving
15.8.3. Warflying
15.8.4. WarChalking
15.8.4.1. )(, () (W)
15.8.5. Blue Jacking
15.8.6. Global Positioning System
15.9. Authentication modes
15.9.1. Authentication is done by:
15.9.1.1. A BSS providing a SSID
15.9.1.2. Shared Key authentication
15.9.1.2.1. Difficult to deploy
15.9.1.2.2. Difficult to change
15.9.1.2.3. Hard to keep secret
15.9.1.2.4. No accountability
15.10. WEP Encryption
15.11. Tools
15.11.1. wesside
15.11.2. airsnort
15.11.3. Wepcrack
15.11.4. Scanning tools
15.11.4.1. New node
15.11.5. Sniffing tools
15.11.5.1. Airopeek
15.11.5.2. Aerosol
15.11.5.3. Windump