Just an initial demo map, so that you don't start with an empty map list ...

Get Started. It's Free
or sign up with your email address
CPTS by Mind Map: CPTS

1. SkriptJack

2. M01 - Business and Technical Logistics of PT

2.1. Types of Hackers

2.1.1. white hat Defensive hacker assigned to attack companies in order to improve their defense and security

2.1.2. gray hat Hacker plays mainly a defensive role but sometimes uses his/her knowledge for black hat purposses

2.1.3. black hat Offensive hacker who attacks with intention of unauthorized theft or destruction of data

2.2. Types of attacks

2.2.1. Operating System attacks

2.2.2. Application-level attacks

2.2.3. Shrink wrap code attacks

2.2.4. Misconfiguration attacks

2.3. Functionality, and Ease of Use Triangle

2.4. Security testing - hint: boxes

2.4.1. White box

2.4.2. Black box You know only the company name

2.4.3. gray box

2.5. Passive information gathering

2.6. Active information gathering

2.7. Attack Phases

2.7.1. Reconnaissance

2.7.2. Scanning

2.7.3. Gaining Access

2.7.4. Maintaining Access

2.7.5. Covering Tracks

2.8. Elements of Security

3. M02 - Information Gathering

3.1. Passive Information Gathering

3.1.1. Whois

3.1.2. Google

3.1.3. www.archive.org


3.1.5. www.centralops.net

3.1.6. DNS DNS - SOA lower at target - Tools used NSlookup, Sam Spade, Dig, Host - RR Records contain NS, SOA, A & MX

3.1.7. Traceroute

3.2. Competitive Intelligence Gathering

3.2.1. Data Gathering

3.2.2. Data Analysis

3.2.3. Information Verification

3.2.4. Information Security

3.3. Social Engineering

3.3.1. Types of social engineering Reciprocation Consistency Social Validation Liking Authority Human-based Social Engineering Scarity

3.3.2. Tactic or Trick of gaining sensitive information Trust Fear Desire to Help Social Engineers attempt to gather information such as Sensitive information Authorization details Access Details

3.3.3. Computer based Social Engineering Pop-up Windows Mail Attachments Websites Hoaxes and Chain letters Instant Chat messenger SPAM email Phising

3.3.4. Common targets Receptionist and help desk personnel Technical Support executives Vendors of target organisation System administrators and users

3.3.5. Behaviors Vulnerable to Attacks Trust Ignorance Fear Greed Moral Duty

3.3.6. Insider attack Disgruntled Employee Preventing Insider Thread Separation of Duties Rotation of duties Least privilege Controlled Access Logging and Auditing Legal policies Archive critical data

3.3.7. Countermeasures Classification of information Access privileges Background check o employees and proper termination process Proper incidence response system

4. M03 - Linux Fundamentals

5. M04 - Detecting Live Systems

5.1. Scanning

5.1.1. ICMP request type 8 reply type 0 TTL Exeeded type 11 destination unreachable type 3

5.1.2. TCP Three way handshake communication flags SYN ACK PSH URG FIN RST

5.1.3. UDP

5.1.4. Nmap Nmap commands scans verbose speeds

5.1.5. An attacker an not simply Spoof his IP address and expect to able to scan or access a network in detected.

5.1.6. If A system Ilicits no Response: * UDP is filted by a gateway * The host might be down * The destination network might be down * ICMP is filtered by a gateway

5.1.7. After Portscanning, an attacker grabs the banner of an open port to know the services running on each port.

5.1.8. TCP Connect scan is the most reilable scan

5.1.9. War Dialing allows circumvention of protection mechanisms by being on the internal network

5.1.10. www.networkuptime.net/nmap/index.shtml

6. M05 - Reconnaissance

6.1. NetBIOS null sessions

6.1.1. used ports 139 445

6.1.2. check for Windows: net use \\victim\ipc$ "/user:" ""

6.2. Banner grabbing

6.3. Tools to enumerate a system

6.3.1. IP-Tools

6.3.2. DumpSec

6.3.3. getif

6.3.4. winfo.exe

6.4. Data retrievable with Enumeration

6.4.1. usernames

6.4.2. usergroups


6.4.4. password policy min length lockout threshold min age max age lockout duration lockout reset

6.4.5. SID of administrator

6.4.6. password guessing

7. M07 - Vulnerability Assessments

8. M08 - Malware - Software Goes Undercover

8.1. Trojans & Backdoors

8.1.1. Overt channel

8.1.2. Covert channel

8.1.3. Types of Trojans Remote Access Data-Sending Destructive Denial-of-Service Proxy FTP Security Software Disablers

8.1.4. Attack vectors Instant Messaging IRC (Internet Relay Chat) Via Attachments Physical Access Browser and Email Bugs NetBIOS Fake Programs Suspicious Sites and Freeware Software

8.1.5. Working of Trojans Client Server model Command and control channel IRC ICQ HTTP RSS

8.1.6. Questions Tini 7777 It's tiny 3kb NetCat Cyptcat is Netcat with encryption BackOrifice port numbers 31337/31338 Sub7 ports 6711,6712,6713 NetBus ports 12345/12346 Beast It's a royal pain in the ass remove by running a beast server and tell the client to disable itself Loki written in deamon9 access over ICMP UDP 53

8.1.7. Detect trojans Netstat Fport TCPview Process viewer What's on my computer Insider Ethereal/Wireshark Currports autoruns msconfig Tripwire System intergrity verifier

8.2. Bufferoverflows

8.2.1. Questions String copy

8.2.2. Types Stack-based Heap/BSS-based

8.2.3. Understanding Assembly Language Push pointers Pop pointers Different pointers EIP ESP EBP

8.2.4. Example site/Links nopsr.us REALLY GEEKY http://www.isg.rhul.ac.uk/files/Countermeasures.pdf

8.2.5. Howto detect BO's in a program Use a fuzzer Look at the source code

8.2.6. NOPS also called Null Bytes x90 _86

8.2.7. Canary word important for exam

8.3. Denial of Service

8.3.1. Are DOS attacks on the rise? August 15 2003, Mircosoft.com falls to a DOS attack. It lasts 2 hours March 27 2003, 15:09 GMT, AlJazeera's English website coming online hours after a DOS attack hit.

8.3.2. Goal of DOS Attackers flood a network, thereby preventing legitimate network traffic Disrupt connections Prevent individuals from accessing a service Disrupt services

8.3.3. Impact and the modes of attack Network connectivity Misuse of Internal resources Bandwith consumption Consumption of other resources Destruction or alteration of configuration information

8.3.4. Types of attacks DOS DOS Tools DOS attack classification DDOS DDOS attack classification DDOS Tools Tools to detect DDOS attacks DDOS countermeasures Reflected DOS attack This is the next generation of DOS attacks. It uses the SYN flooding method, but with a twist. Instead of sending SYN packets to the server under attack it "reflects" them off any router or server connected to the internet. The three way handshake is exploited Any server could be used to send the packets Countermeasures involve

8.3.5. Botnets Uses of Botnet DDOS attacks Spamming Sniffing traffic Keylogging Spreading new malware Installing advertisement Addons Google Adsense abuse Attacking IRC chat networks Manipulating online polls Mass identity theft Types of bots Agobot/Phatbot/Fobot/XtremBot SDBot/RBot/UrBot/UrXBot mIRC-based Bots - GT-Bots

8.4. Virus and Worms

8.4.1. Diffirences Worm Propagates automatically takes advantage of an Exploit Special type of virus, that cannot attach to a program Virus Needs interaction to spread Harder to remove

8.4.2. Questions Macro virusses Melissa virus Diffirence between meta and polimophic virusses History What is a Sheep Dip Way of testing virusses and what they do How they propagate Hoax virusses EICAR.ORG has created a testvirus. Its a file called EICAR.COM

8.4.3. Virusses Characteristics Resides in memory Some leave the memory after execution Change themselves Hide themselves Damage Types of infection Stealth Virus Polymorphic Cavity virus Tunneling virus Camouflage virus Metamorphic virus difference between polymorphic and metamorphic Classification File virus Macro virus System sectors or boot virus Source code virus Network virus

9. M09 - Windows Hacking

10. M10 - Advanced Vulnerability & Exploitation Techniques

11. M12 - Networks -Sniffing - IDS

11.1. Sniffers

11.1.1. How a sniffer works Shared Ethernet Switched Ethernet ARP spoofing Mac flooding

11.1.2. Protocols vulnerable to sniffing Cleartext protocols HTTP SMTP NNTP POP FTP IMAP Telnet and Rlogin

11.1.3. Sniffers The Dude Sniffer Ethereal/Wireshark tcpdump

11.1.4. Passive Sniffing Through a Hub

11.1.5. Active Sniffing ARP Spoofing Tools MAC flooding Macof Etherflood MAC duplicating Through a switch DNSSpoofing Types of DNSSpoofing

11.1.6. RAW Sniffing Tools Sniffit Aldebaran Hunt Also used for Session Hijacking NGSSniff NTOP PF IPTraf EtherApe Snort Windump/tcpdump Etherpeek Mac Changer IRIS NetIntercept WinDNSSpoof TCPick

11.2. IDS

12. M13 - Attacking Databases

13. M14 - Attacking Web Technologies

13.1. Web Based Password Cracking

13.1.1. Authentication Mechanisms HTTP authentication Basic authentication Digest authentication (challenge) Integrated Windows (NTLM) Authentication Negotiate Authentication Certificate-based authentication Forms-based authentication Microsoft Passport Authentication

13.1.2. Types of Biometrics authentication Face Recognition Iris Scanning Retina Scanning Fingerprinting Hand Geometry Voice Recognition

13.1.3. Questions Obiwan John the ripper Snadboy L0phtcrack Cain and Abel Hydra

14. M15 - Documentation

15. M11 - Attacking Wireless Networks

15.1. Wireless vs Wired networks

15.1.1. Cost

15.1.2. Reliability

15.1.3. Performance

15.1.4. Security

15.2. Types of Wireless Networks

15.2.1. Peer-to-peer Networks

15.2.2. Extension to Wired Network

15.2.3. Multiple Access Points

15.2.4. LAN to LAN Wireless

15.3. Advantages of Wireless Network

15.3.1. Provides mobility to users

15.3.2. Easy connection

15.3.3. Initial cost to setup is low

15.3.4. Data cen be transmitted if diffirent ways. Cellular Networks, Mobitex, DataTAC, Cellular Digital Packet Data

15.3.5. Sharing of data is easy among wireless devices

15.4. Disadvantages of Wireless Network

15.4.1. No physical protection

15.4.2. The risk of sharing data is high as packets are being sent through the air.

15.5. Wireless Standards

15.5.1. IEEE 802.11 a 40mhz to 5Ghz More channels, high speeds, less interferance Speed 54 mbps b "wifi" standard 20mhz to 2.4Ghz Protocol of WIFI recolution, defacto standard n Speed over 100 mbps i Improves WLAN security Also uses WPA g Similar to b but faster backward compatible with b

15.5.2. IEEE 802.16 Long distance

15.6. Related tech and Carrier netowkrs

15.6.1. CDPD

15.6.2. 1xRTT on CDMA

15.6.3. GPRS/GSM

15.6.4. FRS & GMRS

15.6.5. HPNA & Powerline Ethernet

15.6.6. 802.1x

15.6.7. BSS & IBSS

15.7. SSID

15.7.1. unique identifier


15.7.3. Beacon frames Broadcast the SSID

15.7.4. Is it secret? NO!

15.8. Terminology

15.8.1. WarWalking

15.8.2. Wardriving

15.8.3. Warflying

15.8.4. WarChalking )(, () (W)

15.8.5. Blue Jacking

15.8.6. Global Positioning System

15.9. Authentication modes

15.9.1. Authentication is done by: A BSS providing a SSID Shared Key authentication Difficult to deploy Difficult to change Hard to keep secret No accountability

15.10. WEP Encryption

15.11. Tools

15.11.1. wesside

15.11.2. airsnort

15.11.3. Wepcrack

15.11.4. Scanning tools New node

15.11.5. Sniffing tools Airopeek Aerosol Windump

16. New node