Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

CPTS by Mind Map: CPTS
0.0 stars - 0 reviews range from 0 to 5

CPTS

This is just a demo map that you can delete right away, if you feel like it...

M01 - Business and Technical Logistics of PT

Types of Hackers

white hat, Defensive hacker assigned to attack companies in order to improve their defense and security

gray hat, Hacker plays mainly a defensive role but sometimes uses his/her knowledge for black hat purposses

black hat, Offensive hacker who attacks with intention of unauthorized theft or destruction of data

Types of attacks

Operating System attacks

Application-level attacks

Shrink wrap code attacks

Misconfiguration attacks

Functionality, and Ease of Use Triangle

Security testing - hint: boxes

White box

Black box, You know only the company name

gray box

Passive information gathering

Active information gathering

Attack Phases

Reconnaissance

Scanning

Gaining Access

Maintaining Access

Covering Tracks

Elements of Security

M02 - Information Gathering

Passive Information Gathering

Whois

Google

www.archive.org

ICANN, ARIN, RIPE ncc, LACNIC, AfriNIC, APNIC

www.centralops.net

DNS, DNS - SOA lower at target - Tools used NSlookup, Sam Spade, Dig, Host - RR Records contain NS, SOA, A & MX

Traceroute

Competitive Intelligence Gathering

Data Gathering

Data Analysis

Information Verification

Information Security

Social Engineering

Types of social engineering, Reciprocation, Consistency, Social Validation, Liking, Authority, Human-based Social Engineering, Posing as a legitimate user, Posing as a important user, Posing as technical support, Eavesdropping, Shoulder sniffing, Dumpster diving, Tailgating, Piggybacking, Reverse Social Engineering, Sabotage, Marketing, Providing Support, Scarity

Tactic or Trick of gaining sensitive information, Trust, Fear, Desire to Help, Social Engineers attempt to gather information such as, Sensitive information, Authorization details, Access Details

Computer based Social Engineering, Pop-up Windows, Mail Attachments, Websites, Hoaxes and Chain letters, Instant Chat messenger, SPAM email, Phising

Common targets, Receptionist and help desk personnel, Technical Support executives, Vendors of target organisation, System administrators and users

Behaviors Vulnerable to Attacks, Trust, Ignorance, Fear, Greed, Moral Duty

Insider attack, Disgruntled Employee, Preventing Insider Thread, Separation of Duties, Rotation of duties, Least privilege, Controlled Access, Logging and Auditing, Legal policies, Archive critical data

Countermeasures, Classification of information, Access privileges, Background check o employees and proper termination process, Proper incidence response system

M03 - Linux Fundamentals

M04 - Detecting Live Systems

Scanning

ICMP, request, type 8, reply, type 0, TTL Exeeded, type 11, destination unreachable, type 3, code 13, Administratively Prohibited

TCP, Three way handshake, communication flags, SYN, ACK, PSH, URG, FIN, RST

UDP

Nmap, Nmap commands, scans, parameters to know, -sS SYN scan / Half open scan, -sT Tcp Connect, -sF FIN scan, -sX Xmas scan, -sN Null scan, -sP Ping scan, -sU UDP scan, -g Source port number, -sO Protocol scan, -sI Idle scan, -sA ACK scan, -sW Window scan, -sR RPC scan, -sL List scan, verbose, speeds

An attacker an not simply Spoof his IP address and expect to able to scan or access a network in detected.

If A system Ilicits no Response: * UDP is filted by a gateway * The host might be down * The destination network might be down * ICMP is filtered by a gateway

After Portscanning, an attacker grabs the banner of an open port to know the services running on each port.

TCP Connect scan is the most reilable scan

War Dialing allows circumvention of protection mechanisms by being on the internal network

www.networkuptime.net/nmap/index.shtml

M05 - Reconnaissance

NetBIOS null sessions

used ports, 139, 445

check for, Windows: net use \\victim\ipc$ "/user:" ""

Banner grabbing

Tools to enumerate a system

IP-Tools

DumpSec

getif

winfo.exe

Data retrievable with Enumeration

usernames

usergroups

shares

password policy, min length, lockout threshold, min age, max age, lockout duration, lockout reset

SID of administrator

password guessing

M07 - Vulnerability Assessments

M08 - Malware - Software Goes Undercover

Trojans & Backdoors

Overt channel

Covert channel

Types of Trojans, Remote Access, Data-Sending, Destructive, Denial-of-Service, Proxy, FTP, Security Software Disablers

Attack vectors, Instant Messaging, IRC (Internet Relay Chat), Via Attachments, Physical Access, Browser and Email Bugs, NetBIOS, Fake Programs, Suspicious Sites and Freeware Software

Working of Trojans, Client Server model, Command and control channel, IRC, ICQ, HTTP, RSS

Questions, Tini, 7777, It's tiny, 3kb, NetCat, Cyptcat is Netcat with encryption, BackOrifice, port numbers 31337/31338, Sub7, ports 6711,6712,6713, NetBus, ports 12345/12346, Beast, It's a royal pain in the ass, remove by running a beast server and tell the client to disable itself, Loki, written in deamon9, access over ICMP, UDP 53

Detect trojans, Netstat, Fport, TCPview, Process viewer, What's on my computer, Insider, Ethereal/Wireshark, Currports, autoruns, msconfig, Tripwire, System intergrity verifier, Checks file hashes

Bufferoverflows

Questions, String copy

Types, Stack-based, Heap/BSS-based

Understanding Assembly Language, Push pointers, Pop pointers, Different pointers, EIP, ESP, EBP

Example site/Links, nopsr.us, REALLY GEEKY, http://www.isg.rhul.ac.uk/files/Countermeasures.pdf

Howto detect BO's in a program, Use a fuzzer, Look at the source code

NOPS, also called Null Bytes, x90, _86

Canary word important for exam

Denial of Service

Are DOS attacks on the rise?, August 15 2003, Mircosoft.com falls to a DOS attack. It lasts 2 hours, March 27 2003, 15:09 GMT, AlJazeera's English website coming online hours after a DOS attack hit.

Goal of DOS, Attackers flood a network, thereby preventing legitimate network traffic, Disrupt connections, Prevent individuals from accessing a service, Disrupt services

Impact and the modes of attack, Network connectivity, Misuse of Internal resources, Bandwith consumption, Consumption of other resources, Destruction or alteration of configuration information

Types of attacks, DOS, DOS Tools, Jolt2, Land Latierra, Targa, 8 diffirent dos attacks, DOS attack classification, Smurf ICMP or Freggle attack UDP, Buffer overflow attack, Ping of death, Ping packet that exeeds 64k limit, Teardrop, Has confusing packets/overlapping fragments, UDP version (unnamed attack) has gaps instead of overlapping fragments, SYN flood - Half open scan, DDOS, DDOS attack classification, Bandwith consumption, Flood attack, TCP/UDP/ICMP, Amplification attack, Smurf, Freggle, Resource consumption, Protocol Exploit Attack, TCP-SYN attack, PSH+ACK attack, Malformed Packet Attack, DDOS Tools, Shaft, Trinoo, UDP, TFN, TFN2k, Stacheldraht, Trinity, Knight, IRC based, MStream, Kaiten, IRC based, Shaft, Client to Handler 20432/tcp, Handler to agents 18753/udp, Agent to handlers 20433/udp, Tools to detect DDOS attacks, ipgrep, tcpdstat, findoffer, DDOS countermeasures, Detect and neutralize handlers, Detect and prevent secondary victims, Network Service Providers, Individual users, Install Software Patches, Built in defenses, Detect and prevent potential attacks, MIB Statistics, Egress filtering/outgoing traffic, Mitigate/Stop attacks, Load balancing, Throttling, Drop requests, Deflect attacks, Honeypot, Shadow Real network resources, Study attack, Post attack forensics, Traffic pattern analysis, Packet trace back, Eventlogs, Reflected DOS attack, This is the next generation of DOS attacks. It uses the SYN flooding method, but with a twist. Instead of sending SYN packets to the server under attack it "reflects" them off any router or server connected to the internet., The three way handshake is exploited, Any server could be used to send the packets, Countermeasures involve, Blocking port 179 on routers, Configure routers to drop SYN packets destinated for a particular adress or addressgroup, Blocking all ports above 1023 for servers, ISP's could prevent the transmission of fraudulent addressed packets (packets with an IP Source address not within their source address space) from within their controlled networks. This control mechanism alone would have a major dampening effect on this type of attack

Botnets, Uses of Botnet, DDOS attacks, Spamming, Sniffing traffic, Keylogging, Spreading new malware, Installing advertisement Addons, Google Adsense abuse, Attacking IRC chat networks, Manipulating online polls, Mass identity theft, Types of bots, Agobot/Phatbot/Fobot/XtremBot, SDBot/RBot/UrBot/UrXBot, Poorly written bots. The fater is SDBot, mIRC-based Bots - GT-Bots, GT is an abbreviation for GLOBAL THREAD.

Virus and Worms

Diffirences, Worm, Propagates automatically, takes advantage of an Exploit, Special type of virus, that cannot attach to a program, Virus, Needs interaction to spread, Harder to remove

Questions, Macro virusses, Melissa virus, Diffirence between meta and polimophic virusses, History, What is a Sheep Dip, Way of testing virusses and what they do, How they propagate, Hoax virusses, EICAR.ORG has created a testvirus. Its a file called EICAR.COM

Virusses, Characteristics, Resides in memory, Some leave the memory after execution, Change themselves, Hide themselves, Encryption, Alters disks or directories, Avoids detection by redirection of data, Damage, Hardware, Power Faults, Frequency shifts, Sudden Power failure, Voltage Spikes, Brownout, Age, Equipment Incompatibilities, Typos, Accidental or Malicious Damage, Problems with magnets, Software, Types of infection, Stealth Virus, removal, Cold boot from a write protected CD, Never use DOS commands, Use anti virus software, Polymorphic, Cavity virus, Tunneling virus, Camouflage virus, Metamorphic virus, example, Win32/simile, Zmist, difference between polymorphic and metamorphic, Classification, File virus, Macro virus, System sectors or boot virus, removal, Check on periodic basis, Source code virus, Network virus

M09 - Windows Hacking

M10 - Advanced Vulnerability & Exploitation Techniques

M12 - Networks -Sniffing - IDS

Sniffers

How a sniffer works, Shared Ethernet, Switched Ethernet, ARP spoofing, Mac flooding

Protocols vulnerable to sniffing, Cleartext protocols, HTTP, SMTP, NNTP, POP, FTP, IMAP, Telnet and Rlogin

Sniffers, The Dude Sniffer, Ethereal/Wireshark, tcpdump

Passive Sniffing, Through a Hub

Active Sniffing, ARP Spoofing, Tools, ARP Spoof, Ettercap, Cain and Abel, Nemesis, arp, dns, ethernet, icmp, igmp, ip, ospf, rip, tcp, udp, dsniff package, arpspoof, dnsspoof, dsniff, filesnarf, mailsnarf, msgsnarf, sshmitm, tcpkill, tcpnice, urlsnarf, webspy, displays sniffed urls in browser in real-time webmitm, HTTP/HTTPS monkey-in-the-middle, MAC flooding, Macof, Etherflood, MAC duplicating, Through a switch, DNSSpoofing, Types of DNSSpoofing, Intranet DNS Spoofing, Internet DNS Spoofing, Proxy Server DNS Poising, DNS Cache Poisoning

RAW Sniffing Tools, Sniffit, Aldebaran, Hunt, Also used for Session Hijacking, NGSSniff, NTOP, PF, IPTraf, EtherApe, Snort, Windump/tcpdump, Etherpeek, Mac Changer, IRIS, NetIntercept, WinDNSSpoof, TCPick

IDS

M13 - Attacking Databases

M14 - Attacking Web Technologies

Web Based Password Cracking

Authentication Mechanisms, HTTP authentication, Basic authentication, Digest authentication (challenge), Integrated Windows (NTLM) Authentication, Negotiate Authentication, Certificate-based authentication, Forms-based authentication, Microsoft Passport Authentication

Types of Biometrics authentication, Face Recognition, Iris Scanning, Retina Scanning, Fingerprinting, Hand Geometry, Voice Recognition

Questions, Obiwan, John the ripper, Snadboy, L0phtcrack, Cain and Abel, Hydra

M15 - Documentation

M06 - Cryptography

A-symmetric

DH

RSA

Elliptic Curves

KeyPair, Public, X.509 format, Private, Stored in hardware, Smartcard, HSM, Stored in software, P12, pfx (MicroSoft), Based on multiplication/division of primes, Multiplication is easy, Division to original primes is hard, Use of large prime numbers

Symmetric

(3) DES, Block, ECB, Electronic CookBook, Weakness: key can be deduced from 1 block, CBC, Cipher Block Chain, Ciphertext of previous block is used in conjunction with key to decrypt the next block, Stream, OFB, CFB, Counter mode, RC4, Lucifer, 3DES-running modes, 2 Keys, Crypt(1), Decrypt(2), Crypt(1), 3 Keys, Crypt(1), Crypt(2), Crypt(3), DES-suspicion, Backdoor is know to (US) Government

AES, Rijndael, KeySize, 128, 180, 256

Session Key / Shared Secret

Two-fish, Also competitor for AES-"title"

Combination of A-symmetric & symmetric, Shared secret

PKI

ROOT-CA, Sub-CA

Cross-signing

Hierarchical Trust, TTP

PGP

Open PGP

GNU PG

IDEA

Ring of Trust

One Way functions

mac

Hash, md5-128, SHA-160

Collisions, Birthday paradox

Attacks

Ciphertext only

Known Plaintext

Known Ciphertext

Choosen Plaintext

Choosen Ciphertext

Clipperchip

SkriptJack

never used

One time patch

Limited Access

Locks, attacks, bumb keys

Reception

Smartcards

M11 - Attacking Wireless Networks

Wireless vs Wired networks

Cost

Reliability

Performance

Security

Types of Wireless Networks

Peer-to-peer Networks

Extension to Wired Network

Multiple Access Points

LAN to LAN Wireless

Advantages of Wireless Network

Provides mobility to users

Easy connection

Initial cost to setup is low

Data cen be transmitted if diffirent ways. Cellular Networks, Mobitex, DataTAC, Cellular Digital Packet Data

Sharing of data is easy among wireless devices

Disadvantages of Wireless Network

No physical protection

The risk of sharing data is high as packets are being sent through the air.

Wireless Standards

IEEE 802.11, a, 40mhz to 5Ghz, More channels, high speeds, less interferance, Speed 54 mbps, b, "wifi" standard, 20mhz to 2.4Ghz, Protocol of WIFI recolution, defacto standard, n, Speed over 100 mbps, i, Improves WLAN security, Also uses WPA, g, Similar to b but faster, backward compatible with b

IEEE 802.16, Long distance

Related tech and Carrier netowkrs

CDPD

1xRTT on CDMA

GPRS/GSM

FRS & GMRS

HPNA & Powerline Ethernet

802.1x

BSS & IBSS

SSID

unique identifier

NOT SECURE ENOUGH

Beacon frames, Broadcast the SSID

Is it secret?, NO!

Terminology

WarWalking

Wardriving

Warflying

WarChalking, )(, () (W)

Blue Jacking

Global Positioning System

Authentication modes

Authentication is done by:, A BSS providing a SSID, Shared Key authentication, Difficult to deploy, Difficult to change, Hard to keep secret, No accountability

WEP Encryption

Tools

wesside

airsnort

Wepcrack

Scanning tools, New node

Sniffing tools, Airopeek, Aerosol, Windump

New node