1. M01 - Business and Technical Logistics of PT
1.1. Types of Hackers
1.1.1. white hat
1.1.1.1. Defensive hacker assigned to attack companies in order to improve their defense and security
1.1.2. gray hat
1.1.2.1. Hacker plays mainly a defensive role but sometimes uses his/her knowledge for black hat purposses
1.1.3. black hat
1.1.3.1. Offensive hacker who attacks with intention of unauthorized theft or destruction of data
1.2. Types of attacks
1.2.1. Operating System attacks
1.2.2. Application-level attacks
1.2.3. Shrink wrap code attacks
1.2.4. Misconfiguration attacks
1.3. Functionality, and Ease of Use Triangle
1.4. Security testing - hint: boxes
1.4.1. White box
1.4.2. Black box
1.4.2.1. You know only the company name
1.4.3. gray box
1.5. Passive information gathering
1.6. Active information gathering
1.7. Attack Phases
1.7.1. Reconnaissance
1.7.2. Scanning
1.7.3. Gaining Access
1.7.4. Maintaining Access
1.7.5. Covering Tracks
1.8. Elements of Security
2. M02 - Information Gathering
2.1. Passive Information Gathering
2.1.1. Whois
2.1.2. Google
2.1.3. www.archive.org
2.1.4. ICANN
2.1.4.1. ARIN
2.1.4.2. RIPE ncc
2.1.4.3. LACNIC
2.1.4.4. AfriNIC
2.1.4.5. APNIC
2.1.5. www.centralops.net
2.1.6. DNS
2.1.6.1. DNS - SOA lower at target - Tools used NSlookup, Sam Spade, Dig, Host - RR Records contain NS, SOA, A & MX
2.1.7. Traceroute
2.2. Competitive Intelligence Gathering
2.2.1. Data Gathering
2.2.2. Data Analysis
2.2.3. Information Verification
2.2.4. Information Security
2.3. Social Engineering
2.3.1. Types of social engineering
2.3.1.1. Reciprocation
2.3.1.2. Consistency
2.3.1.3. Social Validation
2.3.1.4. Liking
2.3.1.5. Authority
2.3.1.5.1. Human-based Social Engineering
2.3.1.6. Scarity
2.3.2. Tactic or Trick of gaining sensitive information
2.3.2.1. Trust
2.3.2.2. Fear
2.3.2.3. Desire to Help
2.3.2.4. Social Engineers attempt to gather information such as
2.3.2.4.1. Sensitive information
2.3.2.4.2. Authorization details
2.3.2.4.3. Access Details
2.3.3. Computer based Social Engineering
2.3.3.1. Pop-up Windows
2.3.3.2. Mail Attachments
2.3.3.3. Websites
2.3.3.4. Hoaxes and Chain letters
2.3.3.5. Instant Chat messenger
2.3.3.6. SPAM email
2.3.3.7. Phising
2.3.4. Common targets
2.3.4.1. Receptionist and help desk personnel
2.3.4.2. Technical Support executives
2.3.4.3. Vendors of target organisation
2.3.4.4. System administrators and users
2.3.5. Behaviors Vulnerable to Attacks
2.3.5.1. Trust
2.3.5.2. Ignorance
2.3.5.3. Fear
2.3.5.4. Greed
2.3.5.5. Moral Duty
2.3.6. Insider attack
2.3.6.1. Disgruntled Employee
2.3.6.2. Preventing Insider Thread
2.3.6.2.1. Separation of Duties
2.3.6.2.2. Rotation of duties
2.3.6.2.3. Least privilege
2.3.6.2.4. Controlled Access
2.3.6.2.5. Logging and Auditing
2.3.6.2.6. Legal policies
2.3.6.2.7. Archive critical data
2.3.7. Countermeasures
2.3.7.1. Classification of information
2.3.7.2. Access privileges
2.3.7.3. Background check o employees and proper termination process
2.3.7.4. Proper incidence response system
3. M03 - Linux Fundamentals
4. M04 - Detecting Live Systems
4.1. Scanning
4.1.1. ICMP
4.1.1.1. request
4.1.1.1.1. type 8
4.1.1.2. reply
4.1.1.2.1. type 0
4.1.1.3. TTL Exeeded
4.1.1.3.1. type 11
4.1.1.4. destination unreachable
4.1.1.4.1. type 3
4.1.2. TCP
4.1.2.1. Three way handshake
4.1.2.2. communication flags
4.1.2.2.1. SYN
4.1.2.2.2. ACK
4.1.2.2.3. PSH
4.1.2.2.4. URG
4.1.2.2.5. FIN
4.1.2.2.6. RST
4.1.3. UDP
4.1.4. Nmap
4.1.4.1. Nmap commands
4.1.4.1.1. scans
4.1.4.1.2. verbose
4.1.4.1.3. speeds
4.1.5. An attacker an not simply Spoof his IP address and expect to able to scan or access a network in detected.
4.1.6. If A system Ilicits no Response: * UDP is filted by a gateway * The host might be down * The destination network might be down * ICMP is filtered by a gateway
4.1.7. After Portscanning, an attacker grabs the banner of an open port to know the services running on each port.
4.1.8. TCP Connect scan is the most reilable scan
4.1.9. War Dialing allows circumvention of protection mechanisms by being on the internal network
4.1.10. www.networkuptime.net/nmap/index.shtml
5. M10 - Advanced Vulnerability & Exploitation Techniques
6. M13 - Attacking Databases
7. M14 - Attacking Web Technologies
7.1. Web Based Password Cracking
7.1.1. Authentication Mechanisms
7.1.1.1. HTTP authentication
7.1.1.1.1. Basic authentication
7.1.1.1.2. Digest authentication (challenge)
7.1.1.2. Integrated Windows (NTLM) Authentication
7.1.1.3. Negotiate Authentication
7.1.1.4. Certificate-based authentication
7.1.1.5. Forms-based authentication
7.1.1.6. Microsoft Passport Authentication
7.1.2. Types of Biometrics authentication
7.1.2.1. Face Recognition
7.1.2.2. Iris Scanning
7.1.2.3. Retina Scanning
7.1.2.4. Fingerprinting
7.1.2.5. Hand Geometry
7.1.2.6. Voice Recognition
7.1.3. Questions
7.1.3.1. Obiwan
7.1.3.2. John the ripper
7.1.3.3. Snadboy
7.1.3.4. L0phtcrack
7.1.3.5. Cain and Abel
7.1.3.6. Hydra
8. M15 - Documentation
9. SkriptJack
10. M05 - Reconnaissance
10.1. NetBIOS null sessions
10.1.1. used ports
10.1.1.1. 139
10.1.1.2. 445
10.1.2. check for
10.1.2.1. Windows: net use \\victim\ipc$ "/user:" ""
10.2. Banner grabbing
10.3. Tools to enumerate a system
10.3.1. IP-Tools
10.3.2. DumpSec
10.3.3. getif
10.3.4. winfo.exe
10.4. Data retrievable with Enumeration
10.4.1. usernames
10.4.2. usergroups
10.4.3. shares
10.4.4. password policy
10.4.4.1. min length
10.4.4.2. lockout threshold
10.4.4.3. min age
10.4.4.4. max age
10.4.4.5. lockout duration
10.4.4.6. lockout reset
10.4.5. SID of administrator
10.4.6. password guessing
11. M07 - Vulnerability Assessments
12. M08 - Malware - Software Goes Undercover
12.1. Trojans & Backdoors
12.1.1. Overt channel
12.1.2. Covert channel
12.1.3. Types of Trojans
12.1.3.1. Remote Access
12.1.3.2. Data-Sending
12.1.3.3. Destructive
12.1.3.4. Denial-of-Service
12.1.3.5. Proxy
12.1.3.6. FTP
12.1.3.7. Security Software Disablers
12.1.4. Attack vectors
12.1.4.1. Instant Messaging
12.1.4.2. IRC (Internet Relay Chat)
12.1.4.3. Via Attachments
12.1.4.4. Physical Access
12.1.4.5. Browser and Email Bugs
12.1.4.6. NetBIOS
12.1.4.7. Fake Programs
12.1.4.8. Suspicious Sites and Freeware Software
12.1.5. Working of Trojans
12.1.5.1. Client Server model
12.1.5.2. Command and control channel
12.1.5.2.1. IRC
12.1.5.2.2. ICQ
12.1.5.2.3. HTTP
12.1.5.2.4. RSS
12.1.6. Questions
12.1.6.1. Tini
12.1.6.1.1. 7777
12.1.6.1.2. It's tiny
12.1.6.1.3. 3kb
12.1.6.2. NetCat
12.1.6.2.1. Cyptcat is Netcat with encryption
12.1.6.3. BackOrifice
12.1.6.3.1. port numbers 31337/31338
12.1.6.4. Sub7
12.1.6.4.1. ports 6711,6712,6713
12.1.6.5. NetBus
12.1.6.5.1. ports 12345/12346
12.1.6.6. Beast
12.1.6.6.1. It's a royal pain in the ass
12.1.6.6.2. remove by running a beast server and tell the client to disable itself
12.1.6.7. Loki
12.1.6.7.1. written in deamon9
12.1.6.7.2. access over ICMP
12.1.6.7.3. UDP 53
12.1.7. Detect trojans
12.1.7.1. Netstat
12.1.7.2. Fport
12.1.7.3. TCPview
12.1.7.4. Process viewer
12.1.7.5. What's on my computer
12.1.7.6. Insider
12.1.7.7. Ethereal/Wireshark
12.1.7.8. Currports
12.1.7.9. autoruns
12.1.7.10. msconfig
12.1.7.11. Tripwire
12.1.7.11.1. System intergrity verifier
12.2. Bufferoverflows
12.2.1. Questions
12.2.1.1. String copy
12.2.2. Types
12.2.2.1. Stack-based
12.2.2.2. Heap/BSS-based
12.2.3. Understanding Assembly Language
12.2.3.1. Push pointers
12.2.3.2. Pop pointers
12.2.3.3. Different pointers
12.2.3.3.1. EIP
12.2.3.3.2. ESP
12.2.3.3.3. EBP
12.2.4. Example site/Links
12.2.4.1. nopsr.us
12.2.4.1.1. REALLY GEEKY
12.2.4.2. http://www.isg.rhul.ac.uk/files/Countermeasures.pdf
12.2.5. Howto detect BO's in a program
12.2.5.1. Use a fuzzer
12.2.5.2. Look at the source code
12.2.6. NOPS
12.2.6.1. also called Null Bytes
12.2.6.2. x90
12.2.6.3. _86
12.2.7. Canary word important for exam
12.3. Denial of Service
12.3.1. Are DOS attacks on the rise?
12.3.1.1. August 15 2003, Mircosoft.com falls to a DOS attack. It lasts 2 hours
12.3.1.2. March 27 2003, 15:09 GMT, AlJazeera's English website coming online hours after a DOS attack hit.
12.3.2. Goal of DOS
12.3.2.1. Attackers flood a network, thereby preventing legitimate network traffic
12.3.2.2. Disrupt connections
12.3.2.3. Prevent individuals from accessing a service
12.3.2.4. Disrupt services
12.3.3. Impact and the modes of attack
12.3.3.1. Network connectivity
12.3.3.2. Misuse of Internal resources
12.3.3.3. Bandwith consumption
12.3.3.4. Consumption of other resources
12.3.3.5. Destruction or alteration of configuration information
12.3.4. Types of attacks
12.3.4.1. DOS
12.3.4.1.1. DOS Tools
12.3.4.1.2. DOS attack classification
12.3.4.2. DDOS
12.3.4.2.1. DDOS attack classification
12.3.4.2.2. DDOS Tools
12.3.4.2.3. Tools to detect DDOS attacks
12.3.4.2.4. DDOS countermeasures
12.3.4.3. Reflected DOS attack
12.3.4.3.1. This is the next generation of DOS attacks. It uses the SYN flooding method, but with a twist. Instead of sending SYN packets to the server under attack it "reflects" them off any router or server connected to the internet.
12.3.4.3.2. The three way handshake is exploited
12.3.4.3.3. Any server could be used to send the packets
12.3.4.3.4. Countermeasures involve
12.3.5. Botnets
12.3.5.1. Uses of Botnet
12.3.5.1.1. DDOS attacks
12.3.5.1.2. Spamming
12.3.5.1.3. Sniffing traffic
12.3.5.1.4. Keylogging
12.3.5.1.5. Spreading new malware
12.3.5.1.6. Installing advertisement Addons
12.3.5.1.7. Google Adsense abuse
12.3.5.1.8. Attacking IRC chat networks
12.3.5.1.9. Manipulating online polls
12.3.5.1.10. Mass identity theft
12.3.5.2. Types of bots
12.3.5.2.1. Agobot/Phatbot/Fobot/XtremBot
12.3.5.2.2. SDBot/RBot/UrBot/UrXBot
12.3.5.2.3. mIRC-based Bots - GT-Bots
12.4. Virus and Worms
12.4.1. Diffirences
12.4.1.1. Worm
12.4.1.1.1. Propagates automatically
12.4.1.1.2. takes advantage of an Exploit
12.4.1.1.3. Special type of virus, that cannot attach to a program
12.4.1.2. Virus
12.4.1.2.1. Needs interaction to spread
12.4.1.2.2. Harder to remove
12.4.2. Questions
12.4.2.1. Macro virusses
12.4.2.2. Melissa virus
12.4.2.3. Diffirence between meta and polimophic virusses
12.4.2.4. History
12.4.2.5. What is a Sheep Dip
12.4.2.5.1. Way of testing virusses and what they do
12.4.2.6. How they propagate
12.4.2.7. Hoax virusses
12.4.2.8. EICAR.ORG has created a testvirus. Its a file called EICAR.COM
12.4.3. Virusses
12.4.3.1. Characteristics
12.4.3.1.1. Resides in memory
12.4.3.1.2. Some leave the memory after execution
12.4.3.1.3. Change themselves
12.4.3.1.4. Hide themselves
12.4.3.1.5. Damage
12.4.3.2. Types of infection
12.4.3.2.1. Stealth Virus
12.4.3.2.2. Polymorphic
12.4.3.2.3. Cavity virus
12.4.3.2.4. Tunneling virus
12.4.3.2.5. Camouflage virus
12.4.3.2.6. Metamorphic virus
12.4.3.2.7. difference between polymorphic and metamorphic
12.4.3.3. Classification
12.4.3.3.1. File virus
12.4.3.3.2. Macro virus
12.4.3.3.3. System sectors or boot virus
12.4.3.3.4. Source code virus
12.4.3.3.5. Network virus
13. M09 - Windows Hacking
14. M12 - Networks -Sniffing - IDS
14.1. Sniffers
14.1.1. How a sniffer works
14.1.1.1. Shared Ethernet
14.1.1.2. Switched Ethernet
14.1.1.3. ARP spoofing
14.1.1.4. Mac flooding
14.1.2. Protocols vulnerable to sniffing
14.1.2.1. Cleartext protocols
14.1.2.1.1. HTTP
14.1.2.1.2. SMTP
14.1.2.1.3. NNTP
14.1.2.1.4. POP
14.1.2.1.5. FTP
14.1.2.1.6. IMAP
14.1.2.1.7. Telnet and Rlogin
14.1.3. Sniffers
14.1.3.1. The Dude Sniffer
14.1.3.2. Ethereal/Wireshark
14.1.3.3. tcpdump
14.1.4. Passive Sniffing
14.1.4.1. Through a Hub
14.1.5. Active Sniffing
14.1.5.1. ARP Spoofing
14.1.5.1.1. Tools
14.1.5.2. MAC flooding
14.1.5.2.1. Macof
14.1.5.2.2. Etherflood
14.1.5.3. MAC duplicating
14.1.5.4. Through a switch
14.1.5.5. DNSSpoofing
14.1.5.5.1. Types of DNSSpoofing
14.1.6. RAW Sniffing Tools
14.1.6.1. Sniffit
14.1.6.2. Aldebaran
14.1.6.3. Hunt
14.1.6.3.1. Also used for Session Hijacking
14.1.6.4. NGSSniff
14.1.6.5. NTOP
14.1.6.6. PF
14.1.6.7. IPTraf
14.1.6.8. EtherApe
14.1.6.9. Snort
14.1.6.10. Windump/tcpdump
14.1.6.11. Etherpeek
14.1.6.12. Mac Changer
14.1.6.13. IRIS
14.1.6.14. NetIntercept
14.1.6.15. WinDNSSpoof
14.1.6.16. TCPick
14.2. IDS
15. M11 - Attacking Wireless Networks
15.1. Wireless vs Wired networks
15.1.1. Cost
15.1.2. Reliability
15.1.3. Performance
15.1.4. Security
15.2. Types of Wireless Networks
15.2.1. Peer-to-peer Networks
15.2.2. Extension to Wired Network
15.2.3. Multiple Access Points
15.2.4. LAN to LAN Wireless
15.3. Advantages of Wireless Network
15.3.1. Provides mobility to users
15.3.2. Easy connection
15.3.3. Initial cost to setup is low
15.3.4. Data cen be transmitted if diffirent ways. Cellular Networks, Mobitex, DataTAC, Cellular Digital Packet Data
15.3.5. Sharing of data is easy among wireless devices
15.4. Disadvantages of Wireless Network
15.4.1. No physical protection
15.4.2. The risk of sharing data is high as packets are being sent through the air.
15.5. Wireless Standards
15.5.1. IEEE 802.11
15.5.1.1. a
15.5.1.1.1. 40mhz to 5Ghz
15.5.1.1.2. More channels, high speeds, less interferance
15.5.1.1.3. Speed 54 mbps
15.5.1.2. b
15.5.1.2.1. "wifi" standard
15.5.1.2.2. 20mhz to 2.4Ghz
15.5.1.2.3. Protocol of WIFI recolution, defacto standard
15.5.1.3. n
15.5.1.3.1. Speed over 100 mbps
15.5.1.4. i
15.5.1.4.1. Improves WLAN security
15.5.1.4.2. Also uses WPA
15.5.1.5. g
15.5.1.5.1. Similar to b but faster
15.5.1.5.2. backward compatible with b
15.5.2. IEEE 802.16
15.5.2.1. Long distance
15.6. Related tech and Carrier netowkrs
15.6.1. CDPD
15.6.2. 1xRTT on CDMA
15.6.3. GPRS/GSM
15.6.4. FRS & GMRS
15.6.5. HPNA & Powerline Ethernet
15.6.6. 802.1x
15.6.7. BSS & IBSS
15.7. SSID
15.7.1. unique identifier
15.7.2. NOT SECURE ENOUGH
15.7.3. Beacon frames
15.7.3.1. Broadcast the SSID
15.7.4. Is it secret?
15.7.4.1. NO!
15.8. Terminology
15.8.1. WarWalking
15.8.2. Wardriving
15.8.3. Warflying
15.8.4. WarChalking
15.8.4.1. )(, () (W)
15.8.5. Blue Jacking
15.8.6. Global Positioning System
15.9. Authentication modes
15.9.1. Authentication is done by:
15.9.1.1. A BSS providing a SSID
15.9.1.2. Shared Key authentication
15.9.1.2.1. Difficult to deploy
15.9.1.2.2. Difficult to change
15.9.1.2.3. Hard to keep secret
15.9.1.2.4. No accountability
15.10. WEP Encryption
15.11. Tools
15.11.1. wesside
15.11.2. airsnort
15.11.3. Wepcrack
15.11.4. Scanning tools
15.11.4.1. New node
15.11.5. Sniffing tools
15.11.5.1. Airopeek
15.11.5.2. Aerosol
15.11.5.3. Windump