CPTS

Just an initial demo map, so that you don't start with an empty map list ...

Get Started. It's Free
or sign up with your email address
CPTS by Mind Map: CPTS

1. SkriptJack

2. M01 - Business and Technical Logistics of PT

2.1. Types of Hackers

2.1.1. white hat

2.1.1.1. Defensive hacker assigned to attack companies in order to improve their defense and security

2.1.2. gray hat

2.1.2.1. Hacker plays mainly a defensive role but sometimes uses his/her knowledge for black hat purposses

2.1.3. black hat

2.1.3.1. Offensive hacker who attacks with intention of unauthorized theft or destruction of data

2.2. Types of attacks

2.2.1. Operating System attacks

2.2.2. Application-level attacks

2.2.3. Shrink wrap code attacks

2.2.4. Misconfiguration attacks

2.3. Functionality, and Ease of Use Triangle

2.4. Security testing - hint: boxes

2.4.1. White box

2.4.2. Black box

2.4.2.1. You know only the company name

2.4.3. gray box

2.5. Passive information gathering

2.6. Active information gathering

2.7. Attack Phases

2.7.1. Reconnaissance

2.7.2. Scanning

2.7.3. Gaining Access

2.7.4. Maintaining Access

2.7.5. Covering Tracks

2.8. Elements of Security

3. M02 - Information Gathering

3.1. Passive Information Gathering

3.1.1. Whois

3.1.2. Google

3.1.3. www.archive.org

3.1.4. ICANN

3.1.4.1. ARIN

3.1.4.2. RIPE ncc

3.1.4.3. LACNIC

3.1.4.4. AfriNIC

3.1.4.5. APNIC

3.1.5. www.centralops.net

3.1.6. DNS

3.1.6.1. DNS - SOA lower at target - Tools used NSlookup, Sam Spade, Dig, Host - RR Records contain NS, SOA, A & MX

3.1.7. Traceroute

3.2. Competitive Intelligence Gathering

3.2.1. Data Gathering

3.2.2. Data Analysis

3.2.3. Information Verification

3.2.4. Information Security

3.3. Social Engineering

3.3.1. Types of social engineering

3.3.1.1. Reciprocation

3.3.1.2. Consistency

3.3.1.3. Social Validation

3.3.1.4. Liking

3.3.1.5. Authority

3.3.1.5.1. Human-based Social Engineering

3.3.1.6. Scarity

3.3.2. Tactic or Trick of gaining sensitive information

3.3.2.1. Trust

3.3.2.2. Fear

3.3.2.3. Desire to Help

3.3.2.4. Social Engineers attempt to gather information such as

3.3.2.4.1. Sensitive information

3.3.2.4.2. Authorization details

3.3.2.4.3. Access Details

3.3.3. Computer based Social Engineering

3.3.3.1. Pop-up Windows

3.3.3.2. Mail Attachments

3.3.3.3. Websites

3.3.3.4. Hoaxes and Chain letters

3.3.3.5. Instant Chat messenger

3.3.3.6. SPAM email

3.3.3.7. Phising

3.3.4. Common targets

3.3.4.1. Receptionist and help desk personnel

3.3.4.2. Technical Support executives

3.3.4.3. Vendors of target organisation

3.3.4.4. System administrators and users

3.3.5. Behaviors Vulnerable to Attacks

3.3.5.1. Trust

3.3.5.2. Ignorance

3.3.5.3. Fear

3.3.5.4. Greed

3.3.5.5. Moral Duty

3.3.6. Insider attack

3.3.6.1. Disgruntled Employee

3.3.6.2. Preventing Insider Thread

3.3.6.2.1. Separation of Duties

3.3.6.2.2. Rotation of duties

3.3.6.2.3. Least privilege

3.3.6.2.4. Controlled Access

3.3.6.2.5. Logging and Auditing

3.3.6.2.6. Legal policies

3.3.6.2.7. Archive critical data

3.3.7. Countermeasures

3.3.7.1. Classification of information

3.3.7.2. Access privileges

3.3.7.3. Background check o employees and proper termination process

3.3.7.4. Proper incidence response system

4. M03 - Linux Fundamentals

5. M04 - Detecting Live Systems

5.1. Scanning

5.1.1. ICMP

5.1.1.1. request

5.1.1.1.1. type 8

5.1.1.2. reply

5.1.1.2.1. type 0

5.1.1.3. TTL Exeeded

5.1.1.3.1. type 11

5.1.1.4. destination unreachable

5.1.1.4.1. type 3

5.1.2. TCP

5.1.2.1. Three way handshake

5.1.2.2. communication flags

5.1.2.2.1. SYN

5.1.2.2.2. ACK

5.1.2.2.3. PSH

5.1.2.2.4. URG

5.1.2.2.5. FIN

5.1.2.2.6. RST

5.1.3. UDP

5.1.4. Nmap

5.1.4.1. Nmap commands

5.1.4.1.1. scans

5.1.4.1.2. verbose

5.1.4.1.3. speeds

5.1.5. An attacker an not simply Spoof his IP address and expect to able to scan or access a network in detected.

5.1.6. If A system Ilicits no Response: * UDP is filted by a gateway * The host might be down * The destination network might be down * ICMP is filtered by a gateway

5.1.7. After Portscanning, an attacker grabs the banner of an open port to know the services running on each port.

5.1.8. TCP Connect scan is the most reilable scan

5.1.9. War Dialing allows circumvention of protection mechanisms by being on the internal network

5.1.10. www.networkuptime.net/nmap/index.shtml

6. M05 - Reconnaissance

6.1. NetBIOS null sessions

6.1.1. used ports

6.1.1.1. 139

6.1.1.2. 445

6.1.2. check for

6.1.2.1. Windows: net use \\victim\ipc$ "/user:" ""

6.2. Banner grabbing

6.3. Tools to enumerate a system

6.3.1. IP-Tools

6.3.2. DumpSec

6.3.3. getif

6.3.4. winfo.exe

6.4. Data retrievable with Enumeration

6.4.1. usernames

6.4.2. usergroups

6.4.3. shares

6.4.4. password policy

6.4.4.1. min length

6.4.4.2. lockout threshold

6.4.4.3. min age

6.4.4.4. max age

6.4.4.5. lockout duration

6.4.4.6. lockout reset

6.4.5. SID of administrator

6.4.6. password guessing

7. M07 - Vulnerability Assessments

8. M08 - Malware - Software Goes Undercover

8.1. Trojans & Backdoors

8.1.1. Overt channel

8.1.2. Covert channel

8.1.3. Types of Trojans

8.1.3.1. Remote Access

8.1.3.2. Data-Sending

8.1.3.3. Destructive

8.1.3.4. Denial-of-Service

8.1.3.5. Proxy

8.1.3.6. FTP

8.1.3.7. Security Software Disablers

8.1.4. Attack vectors

8.1.4.1. Instant Messaging

8.1.4.2. IRC (Internet Relay Chat)

8.1.4.3. Via Attachments

8.1.4.4. Physical Access

8.1.4.5. Browser and Email Bugs

8.1.4.6. NetBIOS

8.1.4.7. Fake Programs

8.1.4.8. Suspicious Sites and Freeware Software

8.1.5. Working of Trojans

8.1.5.1. Client Server model

8.1.5.2. Command and control channel

8.1.5.2.1. IRC

8.1.5.2.2. ICQ

8.1.5.2.3. HTTP

8.1.5.2.4. RSS

8.1.6. Questions

8.1.6.1. Tini

8.1.6.1.1. 7777

8.1.6.1.2. It's tiny

8.1.6.1.3. 3kb

8.1.6.2. NetCat

8.1.6.2.1. Cyptcat is Netcat with encryption

8.1.6.3. BackOrifice

8.1.6.3.1. port numbers 31337/31338

8.1.6.4. Sub7

8.1.6.4.1. ports 6711,6712,6713

8.1.6.5. NetBus

8.1.6.5.1. ports 12345/12346

8.1.6.6. Beast

8.1.6.6.1. It's a royal pain in the ass

8.1.6.6.2. remove by running a beast server and tell the client to disable itself

8.1.6.7. Loki

8.1.6.7.1. written in deamon9

8.1.6.7.2. access over ICMP

8.1.6.7.3. UDP 53

8.1.7. Detect trojans

8.1.7.1. Netstat

8.1.7.2. Fport

8.1.7.3. TCPview

8.1.7.4. Process viewer

8.1.7.5. What's on my computer

8.1.7.6. Insider

8.1.7.7. Ethereal/Wireshark

8.1.7.8. Currports

8.1.7.9. autoruns

8.1.7.10. msconfig

8.1.7.11. Tripwire

8.1.7.11.1. System intergrity verifier

8.2. Bufferoverflows

8.2.1. Questions

8.2.1.1. String copy

8.2.2. Types

8.2.2.1. Stack-based

8.2.2.2. Heap/BSS-based

8.2.3. Understanding Assembly Language

8.2.3.1. Push pointers

8.2.3.2. Pop pointers

8.2.3.3. Different pointers

8.2.3.3.1. EIP

8.2.3.3.2. ESP

8.2.3.3.3. EBP

8.2.4. Example site/Links

8.2.4.1. nopsr.us

8.2.4.1.1. REALLY GEEKY

8.2.4.2. http://www.isg.rhul.ac.uk/files/Countermeasures.pdf

8.2.5. Howto detect BO's in a program

8.2.5.1. Use a fuzzer

8.2.5.2. Look at the source code

8.2.6. NOPS

8.2.6.1. also called Null Bytes

8.2.6.2. x90

8.2.6.3. _86

8.2.7. Canary word important for exam

8.3. Denial of Service

8.3.1. Are DOS attacks on the rise?

8.3.1.1. August 15 2003, Mircosoft.com falls to a DOS attack. It lasts 2 hours

8.3.1.2. March 27 2003, 15:09 GMT, AlJazeera's English website coming online hours after a DOS attack hit.

8.3.2. Goal of DOS

8.3.2.1. Attackers flood a network, thereby preventing legitimate network traffic

8.3.2.2. Disrupt connections

8.3.2.3. Prevent individuals from accessing a service

8.3.2.4. Disrupt services

8.3.3. Impact and the modes of attack

8.3.3.1. Network connectivity

8.3.3.2. Misuse of Internal resources

8.3.3.3. Bandwith consumption

8.3.3.4. Consumption of other resources

8.3.3.5. Destruction or alteration of configuration information

8.3.4. Types of attacks

8.3.4.1. DOS

8.3.4.1.1. DOS Tools

8.3.4.1.2. DOS attack classification

8.3.4.2. DDOS

8.3.4.2.1. DDOS attack classification

8.3.4.2.2. DDOS Tools

8.3.4.2.3. Tools to detect DDOS attacks

8.3.4.2.4. DDOS countermeasures

8.3.4.3. Reflected DOS attack

8.3.4.3.1. This is the next generation of DOS attacks. It uses the SYN flooding method, but with a twist. Instead of sending SYN packets to the server under attack it "reflects" them off any router or server connected to the internet.

8.3.4.3.2. The three way handshake is exploited

8.3.4.3.3. Any server could be used to send the packets

8.3.4.3.4. Countermeasures involve

8.3.5. Botnets

8.3.5.1. Uses of Botnet

8.3.5.1.1. DDOS attacks

8.3.5.1.2. Spamming

8.3.5.1.3. Sniffing traffic

8.3.5.1.4. Keylogging

8.3.5.1.5. Spreading new malware

8.3.5.1.6. Installing advertisement Addons

8.3.5.1.7. Google Adsense abuse

8.3.5.1.8. Attacking IRC chat networks

8.3.5.1.9. Manipulating online polls

8.3.5.1.10. Mass identity theft

8.3.5.2. Types of bots

8.3.5.2.1. Agobot/Phatbot/Fobot/XtremBot

8.3.5.2.2. SDBot/RBot/UrBot/UrXBot

8.3.5.2.3. mIRC-based Bots - GT-Bots

8.4. Virus and Worms

8.4.1. Diffirences

8.4.1.1. Worm

8.4.1.1.1. Propagates automatically

8.4.1.1.2. takes advantage of an Exploit

8.4.1.1.3. Special type of virus, that cannot attach to a program

8.4.1.2. Virus

8.4.1.2.1. Needs interaction to spread

8.4.1.2.2. Harder to remove

8.4.2. Questions

8.4.2.1. Macro virusses

8.4.2.2. Melissa virus

8.4.2.3. Diffirence between meta and polimophic virusses

8.4.2.4. History

8.4.2.5. What is a Sheep Dip

8.4.2.5.1. Way of testing virusses and what they do

8.4.2.6. How they propagate

8.4.2.7. Hoax virusses

8.4.2.8. EICAR.ORG has created a testvirus. Its a file called EICAR.COM

8.4.3. Virusses

8.4.3.1. Characteristics

8.4.3.1.1. Resides in memory

8.4.3.1.2. Some leave the memory after execution

8.4.3.1.3. Change themselves

8.4.3.1.4. Hide themselves

8.4.3.1.5. Damage

8.4.3.2. Types of infection

8.4.3.2.1. Stealth Virus

8.4.3.2.2. Polymorphic

8.4.3.2.3. Cavity virus

8.4.3.2.4. Tunneling virus

8.4.3.2.5. Camouflage virus

8.4.3.2.6. Metamorphic virus

8.4.3.2.7. difference between polymorphic and metamorphic

8.4.3.3. Classification

8.4.3.3.1. File virus

8.4.3.3.2. Macro virus

8.4.3.3.3. System sectors or boot virus

8.4.3.3.4. Source code virus

8.4.3.3.5. Network virus

9. M09 - Windows Hacking

10. M10 - Advanced Vulnerability & Exploitation Techniques

11. M12 - Networks -Sniffing - IDS

11.1. Sniffers

11.1.1. How a sniffer works

11.1.1.1. Shared Ethernet

11.1.1.2. Switched Ethernet

11.1.1.3. ARP spoofing

11.1.1.4. Mac flooding

11.1.2. Protocols vulnerable to sniffing

11.1.2.1. Cleartext protocols

11.1.2.1.1. HTTP

11.1.2.1.2. SMTP

11.1.2.1.3. NNTP

11.1.2.1.4. POP

11.1.2.1.5. FTP

11.1.2.1.6. IMAP

11.1.2.1.7. Telnet and Rlogin

11.1.3. Sniffers

11.1.3.1. The Dude Sniffer

11.1.3.2. Ethereal/Wireshark

11.1.3.3. tcpdump

11.1.4. Passive Sniffing

11.1.4.1. Through a Hub

11.1.5. Active Sniffing

11.1.5.1. ARP Spoofing

11.1.5.1.1. Tools

11.1.5.2. MAC flooding

11.1.5.2.1. Macof

11.1.5.2.2. Etherflood

11.1.5.3. MAC duplicating

11.1.5.4. Through a switch

11.1.5.5. DNSSpoofing

11.1.5.5.1. Types of DNSSpoofing

11.1.6. RAW Sniffing Tools

11.1.6.1. Sniffit

11.1.6.2. Aldebaran

11.1.6.3. Hunt

11.1.6.3.1. Also used for Session Hijacking

11.1.6.4. NGSSniff

11.1.6.5. NTOP

11.1.6.6. PF

11.1.6.7. IPTraf

11.1.6.8. EtherApe

11.1.6.9. Snort

11.1.6.10. Windump/tcpdump

11.1.6.11. Etherpeek

11.1.6.12. Mac Changer

11.1.6.13. IRIS

11.1.6.14. NetIntercept

11.1.6.15. WinDNSSpoof

11.1.6.16. TCPick

11.2. IDS

12. M13 - Attacking Databases

13. M14 - Attacking Web Technologies

13.1. Web Based Password Cracking

13.1.1. Authentication Mechanisms

13.1.1.1. HTTP authentication

13.1.1.1.1. Basic authentication

13.1.1.1.2. Digest authentication (challenge)

13.1.1.2. Integrated Windows (NTLM) Authentication

13.1.1.3. Negotiate Authentication

13.1.1.4. Certificate-based authentication

13.1.1.5. Forms-based authentication

13.1.1.6. Microsoft Passport Authentication

13.1.2. Types of Biometrics authentication

13.1.2.1. Face Recognition

13.1.2.2. Iris Scanning

13.1.2.3. Retina Scanning

13.1.2.4. Fingerprinting

13.1.2.5. Hand Geometry

13.1.2.6. Voice Recognition

13.1.3. Questions

13.1.3.1. Obiwan

13.1.3.2. John the ripper

13.1.3.3. Snadboy

13.1.3.4. L0phtcrack

13.1.3.5. Cain and Abel

13.1.3.6. Hydra

14. M15 - Documentation

15. M11 - Attacking Wireless Networks

15.1. Wireless vs Wired networks

15.1.1. Cost

15.1.2. Reliability

15.1.3. Performance

15.1.4. Security

15.2. Types of Wireless Networks

15.2.1. Peer-to-peer Networks

15.2.2. Extension to Wired Network

15.2.3. Multiple Access Points

15.2.4. LAN to LAN Wireless

15.3. Advantages of Wireless Network

15.3.1. Provides mobility to users

15.3.2. Easy connection

15.3.3. Initial cost to setup is low

15.3.4. Data cen be transmitted if diffirent ways. Cellular Networks, Mobitex, DataTAC, Cellular Digital Packet Data

15.3.5. Sharing of data is easy among wireless devices

15.4. Disadvantages of Wireless Network

15.4.1. No physical protection

15.4.2. The risk of sharing data is high as packets are being sent through the air.

15.5. Wireless Standards

15.5.1. IEEE 802.11

15.5.1.1. a

15.5.1.1.1. 40mhz to 5Ghz

15.5.1.1.2. More channels, high speeds, less interferance

15.5.1.1.3. Speed 54 mbps

15.5.1.2. b

15.5.1.2.1. "wifi" standard

15.5.1.2.2. 20mhz to 2.4Ghz

15.5.1.2.3. Protocol of WIFI recolution, defacto standard

15.5.1.3. n

15.5.1.3.1. Speed over 100 mbps

15.5.1.4. i

15.5.1.4.1. Improves WLAN security

15.5.1.4.2. Also uses WPA

15.5.1.5. g

15.5.1.5.1. Similar to b but faster

15.5.1.5.2. backward compatible with b

15.5.2. IEEE 802.16

15.5.2.1. Long distance

15.6. Related tech and Carrier netowkrs

15.6.1. CDPD

15.6.2. 1xRTT on CDMA

15.6.3. GPRS/GSM

15.6.4. FRS & GMRS

15.6.5. HPNA & Powerline Ethernet

15.6.6. 802.1x

15.6.7. BSS & IBSS

15.7. SSID

15.7.1. unique identifier

15.7.2. NOT SECURE ENOUGH

15.7.3. Beacon frames

15.7.3.1. Broadcast the SSID

15.7.4. Is it secret?

15.7.4.1. NO!

15.8. Terminology

15.8.1. WarWalking

15.8.2. Wardriving

15.8.3. Warflying

15.8.4. WarChalking

15.8.4.1. )(, () (W)

15.8.5. Blue Jacking

15.8.6. Global Positioning System

15.9. Authentication modes

15.9.1. Authentication is done by:

15.9.1.1. A BSS providing a SSID

15.9.1.2. Shared Key authentication

15.9.1.2.1. Difficult to deploy

15.9.1.2.2. Difficult to change

15.9.1.2.3. Hard to keep secret

15.9.1.2.4. No accountability

15.10. WEP Encryption

15.11. Tools

15.11.1. wesside

15.11.2. airsnort

15.11.3. Wepcrack

15.11.4. Scanning tools

15.11.4.1. New node

15.11.5. Sniffing tools

15.11.5.1. Airopeek

15.11.5.2. Aerosol

15.11.5.3. Windump

16. New node