Ethical Hacking and Countermeasures - ZenK-Security d.attaques . Failles... · The CEH Program...

Page �

EC-Councilhttp://www.eccouncil.org EC-Councilhttp://www.eccouncil.org

Ethical Hacking andCountermeasures

Page

�

EC-Councilhttp://www.eccouncil.org

C EHTM

Certified Ethical Hacker

Page �


Hackers are here. Where are you?Computers around the world are systematically being victimized by rampant hacking. This hacking is not only widespread, but is being executed so flawlessly that the attackers compromise a system, steal everything of value and completely erase their tracks within 20 minutes.

The goal of the ethical hacker is to help the organization take preemptive measures against mali-cious attacks by attacking the system himself; all the while staying within legal limits. This philoso-phy stems from the proven practice of trying to catch a thief, by thinking like a thief. As technology advances and organization depend on technology increasingly, information assets have evolved into critical components of survival.

If hacking involves creativity and thinking ‘out-of-the-box’, then vulnerability testing and security audits will not ensure the security proofing of an organization. To ensure that organizations have adequately protected their information assets, they must adopt the approach of ‘defense in depth’. In other words, they must penetrate their networks and assess the security posture for vulnerabili-ties and exposure.

The definition of an Ethical Hacker is very similar to a Penetration Tester. The Ethical Hacker is an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a Hacker. Hack-ing is a felony in the United States and most other countries. When it is done by request and under a contract between an Ethical Hacker and an organization, it is legal. The most important point is that an Ethical Hacker has authorization to probe the target.

The CEH Program certifies individuals in the specific network security discipline of Ethical Hack-ing from a vendor-neutral perspective. The Certified Ethical Hacker certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.

Page

�


Hackers Are Here. Where Are You?

Page �


Ethical Hacking and Countermeasures Training ProgramCourse DescriptionThis class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems. The lab intensive environment gives each student in-depth knowledge and practical experience with the current essential security systems. Students will begin by understanding how perimeter defenses work and then be lead into scanning and attacking their own networks, no real network is harmed. Students then learn how intruders escalate privileges and what steps can be taken to secure a system. Students will also learn about Intrusion Detec-tion, Policy Creation, Social Engineering, DDoS Attacks, Buffer Overflows and Virus Creation. When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

This course prepares you for EC-Council Certified Ethical Hacker exam 312-50

Who Should AttendThis course will significantly benefit security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure.

Duration: 5 days (9:00 – 5:00)

CertificationThe Certified Ethical Hacker certification exam 312-50 will be conducted on the last day of training. Students need to pass the online Prometric exam to receive the CEH certification.

Legal AgreementEthical Hacking and Countermeasures course mission is to educate, introduce and demonstrate hacking tools for penetration testing purposes only. Prior to attending this course, you will be asked to sign an agreement stating that you will not use the newly acquired skills for illegal or malicious attacks and you will not use such tools in an attempt to compromise any computer system, and to indemnify EC-Coun-cil with respect to the use or misuse of these tools, regardless of intent.

Not anyone can be a student — the Accredited Training Centers (ATC) will make sure the applicants work for legitimate companies.

Page

�


Course Outline v�Module: Introduction to Ethical Hacking

Module ObjectivesModule FlowProblem Definition -Why Security?Essential TerminologiesElements of SecurityThe Security, Functionality and Ease of Use TriangleCase StudyWhat does a Malicious Hacker do?Phase1-ReconnaissaanceReconnaissance TypesPhase2-ScanningPhase3-Gaining AccessPhase4-Maintaining AccessPhase5-Covering TracksTypes of Hacker AttacksOperating System attacksApplication-level attacksShrink Wrap code attacks Misconfiguration attacksRemember this Rule!HacktivismHacker ClassesHacker Classes and Ethical HackingWhat do Ethical Hackers do?Can Hacking be Ethical?How to become an Ethical Hacker?Skill Profile of an Ethical HackerWhat is Vulnerability Research?Why Hackers Need Vulnerability Research?Vulnerability Research ToolsVulnerability Research WebsitesSecunia (www.secunia.com)

Page �


Hackerstorm Vulnerability Database Tool (www.hackerstrom.com)HackerWatch (www.hackerwatch.org)Web Page Defacement Reports (www.zone-h.org)How to Conduct Ethical Hacking?How Do They Go About It?Approaches to Ethical HackingEthical Hacking TestingEthical Hacking DeliverablesComputer Crimes and ImplicationsLegal Perspective (U.S. Federal Law)Section 1029 and PenaltiesSection 1030 and PenaltiesJapan Cyber LawsUnited Kingdom Cyber LawsAustralia Cyber LawsGermany’s Cyber LawsSingapore’s Cyber LawsSummary

Module: FootprintingScenarioModule ObjectivesRevisiting ReconnaissanceDefining FootprintingInformation Gathering MethodologyUnearthing Initial InformationFinding Company’s URLInternal URLExtracting Archive of a WebsiteGoogle Search for Company’s InfoPeople SearchFootprinting through Job Sites Passive Information GatheringCompetitive Intelligence GatheringPublic and Private Websites

Page

�


DNS EnumeratorSpiderFoot (http://www.binarypool.com/spiderfoot/)Sensepost Footprint Tools (www.sensepost.com/research/bidiblah)Wikito Footprinting ToolWeb Data Extractor ToolAdditional Footprinting ToolsWhois NslookupExtract DNS InformationTypes of DNS RecordsNecrosoft Advanced DIGLocate the Network RangeARINTracerouteTraceroute Analysis3D Traceroute (http://www.d3tr.de/)Tool: NeoTrace (Now McAfee Visual Trace)GEOSpider (http://www.delorme.com/professional/geospider/) Geowhere Footprinting Tool (http://www.geowhere.net/)Google EarthTool: VisualRoute Trace Kartoo Search Engine (www.kartoo.com)Touchgraph Visual Browser (www.touchgraph.com)Tool: SmartWhoisTool: VisualRoute Mail Tracker Tool: eMailTrackerProTool: Read Notify (readnotify.com)HTTrack Web Site Copier (www.httrack.com) Web Ripper ToolRobots.txtWebsite WatcherE-Mail Spiders1st E-mail Address SpiderPowerful E-mail Collector ToolSteps to Perform Foot PrintingSummary

Page �


Module: ScanningScenarioModule ObjectivesModule FlowScanning: DefinitionTypes of ScanningObjectives of ScanningCEH Scanning MethodologyChecking for live systems - ICMP ScanningAngry IPHPing2Ping SweepFirewalk ToolTCP Communication FlagsSyn Stealth/Half Open ScanStealth ScanXmas ScanFin ScanNull ScanIdle ScanICMP Echo Scanning/List ScanTCP Connect/Full Open ScanFTP Bounce ScanFtp Bounce AttackSYN/FIN Scanning Using IP FragmentsUDP ScanningReverse Ident ScanningRPC ScanWindow ScanBlaster ScanPortscan Plus, StrobeDifferent Scanning toolsNmapIPSec ScanNetscan Tools Pro 2003

Page

�0


WUPS – UDP ScannerSuperscanIPScannerMegapingGlobal Network Inventory ScannerNet Tools Suite PackFloppy ScanWar Dialer TechniquePhonesweep – War Dialing ToolTHC ScanWar Dialing Countermeasures: Sandtrap ToolBanner GrabbingOS FingerprintingActive Stack FingerprintingPassive FingerprintingActive Banner Grabbing Using TelnetP0f – Banner Grabbing ToolHttprint Banner Grabbing ToolTools for Active Stack FingerprintingXprobe2Ringv2NetcraftVulnerability ScanningBidiblah Automated ScannerQualys Web Based ScannerSAINTISS Security ScannerNessusGFI LanguardSecurity Administrator’s Tool for Analyzing Networks (SATAN)RetinaNIKTOSAFEsuite Internet Scanner, IdentTCPScanCheopsFriendly PingerPreparing ProxiesProxy Servers

Page ��


Use of Proxies for AttackingSocksChainProxy WorkbenchProxymanager ToolSuper Proxy Helper ToolHappy Browser Tool (Proxy Based)MultiproxyTor Proxy Chaining SoftwareAdditional Proxy ToolsAnonymizersPrimedius AnonymizerGoogle CookiesG-ZapperSSL Proxy ToolHTTP Tunneling TechniquesHTTPortSpoofing IP AddressSpoofing IP Address Using Source RoutingDetection of IP SpoofingDespoof ToolScanning CountermeasuresSummary

Module: EnumerationScenarioModule ObjectivesModule FlowOverview of System Hacking CycleWhat is Enumeration?Techniques for EnumerationNetBIOS Null SessionsSo What’s the Big Deal?DumpSec ToolNetBIOS EnumerationNbtstat Enumeration Tool

Page

��


SuperScan4 ToolEnum ToolEnumerating User AccountsGetAcctNull Session CountermeasurePS ToolsPsExecPsFilePsGetSidPsKillPsInfoPsListPsLogged OnPsLogListPsPasswdPsServicePsShutdownPsSuspendSimple Network Management Protocol (SNMP) EnumerationManagement Information Base (MIB)SNMPutil ExampleSolarWindsSNScan v1.05UNIX EnumerationSNMP UNIX EnumerationSNMP Enumeration CountermeasuresWinfingerprintWindows Active Directory Attack ToolIP Tools ScannerEnumerate Systems Using Default PasswordSteps to Perform EnumerationSummary

Module: System HackingModule Objectives

Page ��


Module FlowScenarioPart 1- Cracking Password CEH hacking CyclePassword TypesTypes of Password AttackPassive Online-Wire SniffingPassive Online AttacksActive Online- Password Guessing Offline AttacksDictionary attacksHybrid attacksBrute force AttackPre-computed HashesNon-Technical AttackPassword MitigationPermanent Account Lockout-Employee Privilege AbuseAdministrator Password GuessingManual Password cracking AlgorithmAutomatic Password Cracking AlgorithmPerforming Automated Password GuessingTool: NATSmbbf (SMB Passive Brute Force Tool)SmbCrack Tool: LegionHacking Tool: LOphtcrackMicrosoft AuthenticationLM, NTLMv1, and NTLMv2NTLM And LM Authentication On The WireKerberos AuthenticationWhat is LAN Manager Hash?LM “Hash” GenerationLM HashSaltingPWdump2 and Pwdump3Tool: RainbowcrackHacking Tool: KerbCrackNetBIOS DoS Attack

Page

��


Hacking Tool: John the RipperPassword SniffingHow to Sniff SMB Credentials?Sniffing Hashes Using LophtCrackTool: ScoopLM Hacking Tool: SMBRelaySMBRelay Man-In-The-Middle ScenarioRedirecting SMB Logon to the AttackerSMB Replay AttacksReplay Attack Tool : SMBProxyHacking Tool: SMB GrindHacking Tool: SMBDieSMBRelay Weakness & CountermeasuresSMB Signing Password Cracking CountermeasuresDo Not Store LAN Manager Hash in SAM DatabaseLM Hash Backward CompatibilityHow to Disable LM HASH?Password Brute Force Estimate ToolSyskey UtilityScenarioPart2-Escalating PrivilegesCEH Hacking CyclePrivilege EscalationCracking NT/2000 passwordsActive@ Password ChangerChange Recovery Console Password - Method 1Change Recovery Console Password - Method 2Privilege Escalation Tool: x.exePart3-Executing applicationsCEH Hacking CycleTool: psexecTool: remoexecTool: Alchemy Remote ExecutorKeystroke LoggersE-mail KeyloggerSpyToctor FTP Keylogger

Page ��


IKS Software KeyloggerGhost KeyloggerHacking Tool: Hardware Key LoggerWhat is Spyware?Spyware: Spector Remote SpyeBlasterStealth Voice RecorderStealth KeyloggerStealth Website LoggerDigi Watcher Video SurveillanceDesktop Spy Screen Capture ProgramTelephone SpyPrint Monitor Spy ToolPerfect KeyloggerStealth E-Mail RedirectorSpy Software: Wiretap ProfessionalSpy Software: FlexiSpyPC PhoneHomeKeylogger CountermeasuresAnti KeyloggerPrivacy KeyboardScenarioPart4-Hiding files CEH Hacking Cycle Hiding FilesHacking Tool: RootKitWhy rootkits?RootkitsRootkits in LinuxDetecting RootkitsSteps for Detecting RootkitsRootkit detection toolsSony Rootkit Case StudyPlanting the NT/2000 RootkitRootkit: FuAFX Rootkit 2005

Page

��


Rootkit: NuclearRootkit: VanquishRootkit CountermeasuresPatchfinder2.0RootkitRevealerCreating Alternate Data StreamsHow to Create NTFS Streams?NTFS Stream ManipulationNTFS Streams CountermeasuresNTFS Stream Detectors (ADS Spy and ADS Tools)What is Steganography?Tool: Merge StreamsInvisible FoldersTool: Invisible Secrets 4Tool : Image HideTool: Stealth FilesMasker Steganography ToolHermetic StegoDCPP – Hide an Operating SystemTool: Camera/Shywww.spammimic.comTool: Mp3StegoTool: Snow.exeVideo SteganographySteganography DetectionSIDSTool: dskprobe.exePart5-Covering TracksCEH Hacking CycleCovering TracksDisabling AuditingClearing the Event LogTool: elsave.exeHacking Tool: WinzapperEvidence EliminatorTool: TracelessTool: Tracks Eraser Pro

Page ��


Tool: ZeroTracksSummary

Trojans and BackdoorsScenarioModule ObjectivesModule FlowIntroductionEffect on BusinessWhat is a Trojan?Overt and Covert ChannelsWorking of TrojansDifferent Types of TrojansWhat do Trojan Creators Look for?Different Ways a Trojan can Get into a SystemIndications of a Trojan AttackSome Famous Trojans and Ports They UseHow to Determine which Ports are ListeningDifferent Trojans in the WildTrojan: TiniTrojan: icmdTrojan: NetBusNetcatBeastMoSucker TrojanProxy Server TrojanSARS Trojan NotificationWrappersGraffiti.exeWrapping ToolsPackaging Tool: WordPadRemoteByMailIcon Plus RestoratorTetris

Page

��


HTTP TrojansHTTP RATReverse Connecting TrojansBadLuck Destructive TrojanICMP TunnelingICMP Backdoor TrojanScreenSaver Password Hack ToolPhatbotAmitisSenna SpyQAZCase Study: Microsoft Network Hacked by QAZ TrojanBack OrificeBack Orifice 2000Back Orifice Plug-insSubSevenCyberSpy Telnet ProgramSubroot Telnet TrojanLet Me Rule! 2.0 BETA 9Donald DickRECUBLokiLoki CountermeasuresAtelier Web Remote CommanderTrojan Horse Construction KitHow to Detect Trojans?NetstatfPortTCPViewCurrPorts ToolProcess ViewerDelete Suspicious Device DriversWhat’s on My Computer?Super System Helper ToolInzider-Tracks Processes and PortsWhat’s Running on My Computer?MS Configuration Utility

Page ��


Registry- What’s RunningAutorunsHijack This (System Checker)Startup ListAnti-Trojan SoftwareEvading Anti-Virus TechniquesEvading Anti-Trojan/Anti-Virus using Stealth Tools v 2.0Backdoor CountermeasuresTripwireSystem File VerificationMD5 ChecksumMicrosoft Windows DefenderHow to Avoid a Trojan Infection?Summary

Module: Sniffers ScenarioModule ObjectivesModule FlowDefinition - SniffingProtocols Vulnerable to SniffingTool: Network View – Scans the Network for DevicesEtherealDisplaying Filters in EtherealFollowing the TCP Stream in EtherealtcpdumpTypes of SniffingPassive SniffingActive SniffingWhat is ARP?ARP Spoofing AttackHow does ARP Spoofing Work?ARP PoisingMAC DuplicatingTools for ARP Spoofing

Page

�0


EttercapMAC FloodingTools for MAC FloodingLinux Tool: MacofWindows Tool: EtherfloodThreats of ARP PoisoningIrs-Arp Attack ToolARPWorks ToolTool: NemesisSniffers Hacking ToolsLinux tool: ArpspoofLinux Tool: DnssppoofLinux Tool: DsniffLinux Tool: FilesnarfLinux Tool: MailsnarfLinux Tool: MsgsnarfLinux Tool: SshmitmLinux Tool: TcpkillLinux Tool: TcpniceLinux Tool: UrlsnarfLinux Tool: WebspyLinux Tool: WebmitmDNS PoisoningIntranet DNS Spoofing (Local Network)Internet DNS Spoofing (Remote Network)Proxy Server DNS PoisoningDNS Cache PoisoningInteractive TCP RelayHTTP Sniffer: EffeTechAce Password SnifferMSN SnifferSmart SniffSession Capture Sniffer: NwreaderCain and AbelPacket CrafterSMACNetsetman Tool

Page ��


Raw Sniffing Tools and featuresSniffitAldebaranHuntNGSSniffNtopPfIptrafEtherapeNetfilterNetwork ProbeMaatec Network AnalyzerSnortWindumpEtherpeekMac ChangerIrisNetinterceptWindnsspoofHow to Detect Sniffing?Antisniff ToolArpwatch ToolScenarioCountermeasuresSummary

Denial-of-ServiceScenarioModule ObjectivesModule FlowReal World Scenario of DoS AttacksWhat are Denial-of-Service Attacks?Goal of DoSImpact and the Modes of AttackTypes of Attacks

Page

��


DoS Attack ClassificationSmurf AttackBuffer Overflow AttackPing of Death AttackTeardrop AttackSYN AttackSYN FloodingTribal Flow AttackDoS Attack ToolsJolt2Bubonic.cLand and LaTierraTargaBlast2.0NemesysPanthers2Icmp Packet SenderSome TroubleUDP FloodFSMaxBot (Derived from the Word ‘RoBot’)BotnetsUses of botnetsTypes of BotsHow do They Infect? Analysis of AgabotNuclear BotWhat is DDoS Attack?DDoS Attack CharacteristicsAgent Handler ModelDDoS IRC-based ModelDDoS Attack TaxonomyAmplification AttackDDoS ToolsTrinooTribe Flood NetworkTFN2KStacheldraht

Page ��


ShaftTrinityKnight and KaitenMStreamReflected DoS AttacksReflection of the ExploitCountermeasures for Reflected DoSDDoS CountermeasuresTaxonomy of DDoS CountermeasuresPreventing Secondary VictimsDetect and Neutralize HandlersDetect Potential AttacksMitigate or Stop the Effects of DDoS AttacksDeflect AttacksPost Attack ForensicsPacket TracebackWormsSlammer WormSpread of Slammer Worm – 30 MinMyDoom.BHow to Conduct DDoS Attack?Summary Module: Social EngineeringModule ObjectivesModule FlowWhat is Social Engineering?Security 5 ProgramCommon Types of Social EngineeringHuman-Based Social EngineeringHuman-based ImpersonationTechnical Support ExampleMore Social Engineering ExampleDumpster Diving ExampleShoulder Surfing

Page

��


Computer Based Social EngineeringInsider AttackDisgruntled EmployeePreventing Insider Threat Reverse Social EngineeringCommon Targets of Social EngineeringFactors that make Companies Vulnerable to AttackWhy is Social Engineering Effective?Warning Signs of an AttackComputer Based Social EcngineeringComputer Based Social Ecngineering: Phishing Netcraft Anti-Phishing ToolbarPhases in Social Engineering AttackBehaviors Vulnerable to AttacksImpact on the OrganizationCountermeasuresScenarioPolicies and ProceduresSecurity Policies - ChecklistSummaryPhishing Attacks and Identity TheftWhat is Phishing?Phishing ReportsHidden FramesURL obfuscationURL Encoding TechniquesIP Address to Base 10 FormulaHTML Image Mapping TechniquesDNS Cache Poisoning AttackIdentity TheftHow to steal Identity?Countermeasures

Module: Session HijackingScenario

Page ��


Module ObjectivesModule FlowWhat is Session Hijacking?Spoofing v HijackingSteps in Session HijackingTypes of Session HijackingTCP Three-way HandshakeSequence NumbersSequence Number PredictionTCP/IP hijackingRST HijackingRST Hijacking Tool: hijack_rst.shPrograms that Performs Session HackingJuggernautHuntTTY-WatcherIP watcherT-sightRemote TCP Session Reset Utility (SOLARWINDS)Paros HTTP Session Hijacking Tool Dangers that hijacking PoseProtecting against Session HijackingCountermeasures: IPSecSummary

Module: Hacking Web ServersScenarioModule ObjectivesModule FlowHow Web Servers Work?How are Web Servers Compromised?Web Server DefacementHow are Servers Defaced?Apache VulnerabilityAttacks against IIS

Page

��


IIS ComponentsIIS Directory Traversal (Unicode) AttackUnicodeUnicode Directory Traversal VulnerabilityHacking Tool: IISxploit.exeMsw3prt IPP VulnerabilityWebDav/ntdll.dll VulnerabilityReal World Instance of WebDAV ExploitRPC DCOM VulnerabilityASN ExploitsASP Trojan (cmd.asp)IIS LogsNetwork Tool: Log AnalyzerHacking Tool: CleanIISLogUnspecified Executable Path VulnerabilityMetasploit FrameworkScenarioHotfixes and PatchesWhat is Patch Management?Solution: UpdateExpertPatch Management Tool: qfecheckPatch Management Tool: HFNetChkcacls.exe utilitycacls.exe utilityVulnerability ScannersOnline Vulnerability Search EngineNetwork Tool: WhiskerNetwork Tool: N-Stealth HTTP Vulnerability ScannerHacking Tool: WebInspectNetwork Tool: Shadow Security ScannerSecure IISCountermeasuresIncreasing Web Server SecurityWeb Server Protection ChecklistSummary

Page ��


Module: Web Application VulnerabilitiesScenarioModule ObjectivesModule FlowThe Web Application SetupWeb application HackingAnatomy of an AttackWeb Application ThreatsCross-Site Scripting/XSS FlawsCountermeasuresSQL Injection AttackCommand Injection FlawsCountermeasuresCookie/Session PoisoningCountermeasuresParameter/Form TamperingBuffer OverflowCountermeasuresDirectory Traversal/Forceful BrowsingCountermeasuresCryptographic InterceptionCookie Snooping:Authentication HijackingCountermeasuresLog TamperingError Message InterceptionAttack ObfuscationPlatform ExploitsDMZ Protocol AttacksCountermeasuresSecurity Management ExploitsWeb Services AttacksZero-Day AttacksNetwork Access AttacksTCP FragmentationScenarioHacking Tools

Page

��


Instant SourceWgetWebSleuthBlackWidowSiteScope ToolWSDigger Tool – Web Services Testing ToolCookieDigger ToolSSLDigger ToolSiteDigger ToolHacking Tool: WindowBombBurpHacking Tool: cURLdotDefenderGoogle HackingGoogle Hacking Database (GHDB)Acunetix Web ScannerAppScan-Web Application ScannerSummary

Module: Web-Based Password Cracking TechniquesScenarioModule ObjectivesModule FlowAuthentication - DefinitionAuthentication MechanismsHTTP AuthenticationBasic AuthenticationDigest AuthenticationIntegrated Windows (NTLM) AuthenticationNegotiate AuthenticationCertificate-based AuthenticationForms-based AuthenticationRSA SecurID TokenBiometrics AuthenticationTypes of Biometrics Authentication

Page ��


Fingerprint-based IdentificationHand Geometry- based IdentificationRetina ScanningFace RecognitionHow to Select a Good Password?Things to Avoid in PasswordsChanging Your PasswordProtecting Your PasswordHow Hackers Get Hold of Passwords?Microsoft Password CheckerWhat is a Password CrackerModus Operandi of an Attacker Using a Password CrackerHow Does a Password Cracker Work? Attacks - ClassificationPassword GuessingQuery StringCookiesDictionary MakerPassword Crackers AvailableL0phtCrack (LC4)John the RipperBrutusObiWaNAuthforceHydraCain & AbelRARGammaprogWebCrackerMunga BungaPassListSnadBoyRockXPWinSSLMiMCountermeasuresSummary

Page

�0


Module: SQL InjectionScenarioModule ObjectivesModule FlowWhat is SQL Injection?Exploiting Web ApplicationsSteps for performing SQL injectionWhat You Should Look For?What If It Doesn’t Take Input?OLE DB ErrorsInput Validation AttackSQL injection TechniquesHow to Test if it is Vulnerable?How Does It Work?Executing Operating System CommandsHow to get output of your SQL query?How to get data from the database using ODBC error message?How to Mine all Column Names of a Table?How to Retrieve any Data?How to Update/Insert Data into Database?Absinthe Automated SQL Injection ToolSQL Injection in OracleSQL Injection in MySql DatabaseAttacking SQL ServersSQL Server Resolution Service (SSRS)Osql -L ProbingSQL Injection Automated ToolsHacking Tool: SQLDictSQLExecTool: sqlbfSQLSmackSQL2.exeSQL Injection CountermeasuresPreventive Measures

Page ��


Preventing SQL Injection AttacksSQL Injection Blocking Tool: SQL BlockAcunetix Web Vulnerability ScannerSummary

Module: Hacking Wireless NetworksScenarioModule ObjectivesModule FlowIntroduction to Wireless NetworkingBusiness and Wireless AttacksBasicsRelated Technology and Carrier Networks802.11a802.11b – “WiFi”802.11g802.11i802.11nAvailabilityWired vs. WirelessTerminologyStumbVerterTypes of Wireless NetworkSetting up a WLANDetecting a Wireless NetworkHow to Access a WLANAdvantagesAdvantages and Disadvantage of a Wireless NetworkAntennasCantenna – www.cantenna.comSSIDBeacon FramesIs the SSID a Secret?Authentication and AssociationAuthentication and (Dis) Association

Page

��


Authentication ModesAccess Point PositioningRogue Access PointsTools to Generate Rogue AP: Fake APNetStumblerMiniStumblerWhat is Wired Equivalent Privacy (WEP)?XOR EncryptionStream CipherPAD Collection AttacksCracking WEPWeak keysProblems with WEP’s Key Stream and ReuseAutomated WEP CrackersThe Lightweight Extensible Authentication Protocol (LEAP)LEAP AttacksWhat is WPA?WPA VulnerabilitiesTemporal Key Integrity Protocol (TKIP)WEP, WPA and WPA2Types of AttacksHackingSteps for Hacking Wireless NetworksStep 1: Find Networks to AttackStep2: Choose the Network to AttackStep 3: Analyzing the NetworkStep 4: Cracking the WEP KeyStep 5: Sniffing the NetworkWEP Tool: AircrackAirSnortWEPCrackMAC Sniffing and AP SpoofingTool for Detecting MAC Spoofing: Wellenreiter v2Denial-Of-Service (Dos) AttacksDos Attack Tool: FatajackMan-in-the-Middle Attack (MITM)Scanning Tools

Page ��


RedfangKismetTHC-wardrivePrismStumblerMacStumblerMognet V1.16WaveStumblerNetChaser v1.0 for Palm TopsAP ScannerWavemonWireless Security Auditor (WSA)AirTraf 1.0Wifi FinderSniffing ToolsAiroPeekNAI Wireless SnifferEtherealAerosol v0.65vxSnifferEtherPEGDriftnetAirMagnetWinDumpSsidsniffMultiuse Tool: THC-RUTWinPcapAuditing Tool: BSD-AirtoolsAirDefense GuardWireless Intrusion Detection System (WIDZ)PCR-PRO-1k Hardware ScannerSecuring Wireless NetworksRemote Authentication Dial-In User ServiceGoogle Secure AccessSummary

Page

��


Module: Virus and WormsCase StudyScenarioModule ObjectivesModule FlowIntroductionVirus HistoryCharacteristics of VirusWorking of VirusInfection Phase Attack PhaseWhy people create Computer Viruses? Symptoms of a Virus-like AttackVirus HoaxesHow is a Worm Different from a Virus?Indications of a Virus AttackHardware ThreatsSoftware ThreatsVirus DamageMode of Virus InfectionStages of Virus LifeVirus ClassificationHow Does a Virus Infect?Storage Patterns of VirusSystem Sector virusStealth VirusBootable CD-Rom VirusSelf -ModificationEncryption with a Variable KeyPolymorphic CodeMetamorphic VirusCavity VirusSparse Infector VirusCompanion VirusFile Extension VirusFamous Virus/Worms – I Love You VirusFamous Virus/Worms – Melissa

Page ��


Famous Virus/Worms – JS/SpthKlez Virus Analysis - 1 Klez Virus Analysis - 2 Klez Virus Analysis - 3 Klez Virus Analysis - 4 Klez Virus Analysis - 5Writing a Simple Virus ProgramVirus Construction KitsVirus Detection MethodsVirus Incident ResponseWhat is Sheep Dip?Virus Analysis – IDA Pro ToolPrevention is better than CureLatest virusesTop 10 Viruses- 2006Anti-Virus SoftwareAVG AntivirusNorton AntivirusMcAfeeSocketsheildPopular Anti-Virus PackagesVirus DatabasesJason Springfield MethodologySummary Module: Physical SecurityReal World ScenarioModule ObjectivesModule FlowSecurity StatisticsPhysical Security Breach IncidentsUnderstanding Physical SecurityPhysical SecurityWhy Physical Security is Needed?Who is Accountable?

Page

��


Factors Affecting Physical SecurityPhysical Security ChecklistPhysical Security Checklist -Company surroundingsGatesSecurity GuardsPremises- Physical SecurityCCTV CamerasReceptionServerWorkstation AreaWireless Access PointOther EquipmentsAccess ControlMantrapBiometric DevicesBiometric Identification TechniquesSmart cardsSecurity TokenComputer Equipment MaintenanceWiretappingRemote AccessLocksLock PickingLock Picking ToolsChallenges in Ensuring Physical SecurityInformation SecurityWireless Security CountermeasuresEPS (Electronic Physical Security)SpywareSpying DevicesLapse of Physical SecurityLaptop Theft - Security StatisticsLaptop TheftLaptop Theft: Data under lossLaptop Security ToolsXTool® Computer TrackerSTOP Anti Theft Security Tags

Page ��


Physical Security: Lock Down USB PortsTool: Device LockTrack Stick GPS Tracking DeviceSummary

Module: Linux HackingScenarioModule ObjectivesModule FlowWhy Linux?Linux DistributionsLinux Live CD-ROMsLinux Basic CommandsLinux File StructureLinux Networking CommandsDirectories in LinuxCompiling the Linux controlHow to install a kernel patchCompiling Programs in LinuxGCC commandsMake FilesMake Install CommandLinux VulnerabilitiesChrootingWhy is Linux Hacked?Linux Vulnerabilities in 2005How to apply patches to vulnerable programsScanning NetworksNmap in LinuxNessusCheopsPort Scan Detection ToolsPassword Cracking in LinuxFirewall in Linux: IPTablesBasic Linux Operating System Defense

Page

��


SARA (Security Auditor’s Research Assistant)Linux Tool: NetcatLinux Tool: tcpdumpLinux Tool: SnortLINUX TOOL: SAINTLinux tool: EtherealLinux tool: Abacus PortsentryDsniff collectionLinux tool:Hping2Linux tool: SniffitLinux tool: NemesisLinux Tool:LSOFLinux tool:IPTrafLinux tool: LIDSHacking tool:HuntTCP WrappersLinux Loadable Kernel ModulesLinux RootkitsRootkits: Knark and TornTuxit, Adore, RamenBeastkitRootkit Countermeasureschkrootkit Detects the Following RootkitsLinux Tool : Application Security : WhiskerAdvanced Intrusion Detection Environment (AIDE)Linux Tool: Security Testing ToolsTool: EncryptionLog and Traffic MonitorsLinux Security Auditing Tool (LSAT)Linux Security CountermeasuresSteps for Hardening LinuxSummary Module: Evading IDS, Firewalls and Detecting Honey PotsScenario

Page ��


Module ObjectivesModule FlowIntroductionTerminologyIntrusion Detection System (IDS)IDS PlacementWays to Detect an IntrusionTypes of Instruction Detection TechniqueSystem Integrity Verifiers (SIVS)TripwireCisco Security Agent (CSA)Signature AnalysisGeneral Indication of Intrusion: System IndicationsGeneral Indication of Intrusion: File System IndicationsGeneral Indication of Intrusion: Network IndicationsIntrusion Detection ToolsSnort 2.xUsing EventTriggers.exe for Eventlog NotificationsSnortSamSteps to Perform after an IDS detects an attackEvading IDS SystemsWays to Evade IDSTools to Evade IDS: SideStepADMutatePacket GeneratorsWhat is a Firewall?What Does a Firewall Do?Packet FilteringWhat can’t a firewall do?How does a Firewall work?Firewall OperationsHardware FirewallSoftware FirewallTypes of FirewallPacket Filtering FirewallCircuit-Level GatewayApplication Level Firewall

Page

�0


Stateful Multilayer Inspection FirewallFirewall IdentificationFirewalkingBanner GrabbingBreaching FirewallsBypassing a Firewall using HTTPTunnelPlacing Backdoors through FirewallsHiding Behind a Covert Channel: LokiACK TunnelingTools to breach firewallsCommon Tool for Testing Firewall and IDSIDS testing tool: IDS InformerIDS Testing Tool: Evasion GatewayIDS testing tool: Firewall InformerWhat is Honeypot?The Honeynet ProjectTypes of HoneypotsAdvantages of HoneypotsWhere to place Honeypots?HoneypotsHoneypot-SpecterHoneypot – HoneydHoneypot – KFSensorSebekPhysical and Virtual Honeypots Tools to Detect HoneypotsWhat to do when hacked?Summary

Module: Buffer OverflowsModule ObjectivesModule FlowIntroductionWhy are Programs/Applications Vulnerable?

Page ��


Buffer OverflowsReasons for Buffer Overflow attacksKnowledge Required to Write Buffer Overflow ExploitsStack-based Buffer OverflowUnderstanding Assembly LanguageUnderstanding StacksA Normal StackShellcodeHeap-based Buffer OverflowHow to Detect Buffer Overflows in a ProgramAttacking a Real ProgramNOPsHow to Mutate a Buffer Overflow ExploitOnce the Stack is SmashedDefense against Buffer OverflowsTool to Defend Buffer Overflow:Return Address Defender (RAD)StackGuardImmunix SystemVulnerability Search – ICATSummary

Module: CryptographyModule ObjectivesModule FlowPublic Key CryptographyWorking of EncryptionDigital SignatureRSA (Rivest, Shamir, and Adleman)RC4, RC5, RC6, BlowfishAlgorithms and SecurityBrute-Force AttackRSA AttacksMD5SHA (Secure Hash Algorithm)SSL (Secure Socket Layer)

Page

��


RC5What is SSH?Government Access to Keys (GAK)RSA ChallengeDistributed.netPGP (Pretty Good Privacy)Code Breaking MethodologiesCryptography AttacksDisk EncryptionHacking Tool: PGPCrackMagic LanternWEPCrackCracking S/MIME Encryption using idle CPU TimeCypherCalcCommand Line ScriptorCryptoHeavenSummary Module: Penetration TestingIntroduction to Penetration Testing (PT)Categories of security assessmentsVulnerability AssessmentLimitations of Vulnerability AssessmentPenetration TestingTypes of Penetration TestingRisk ManagementDo-It-Yourself Testing Outsourcing Penetration Testing ServicesTerms of EngagementProject ScopePentest Service Level AgreementsTesting pointsTesting LocationsAutomated TestingManual Testing

Page ��


Using DNS Domain Name and IP Address InformationEnumerating Information about Hosts on Publicly Available NetworksTesting Network-filtering DevicesEnumerating DevicesDenial-of-Service EmulationPentest using AppscanHackerShieldPen-Test Using Cerberus Internet Scanner:Pen-Test Using Cybercop Scanner:Pen-Test Using FoundScan Hardware AppliancesPen-Test Using NessusPen-Test Using NetReconPen-Test Using SAINTPen-Test Using SecureNet ProPen-Test Using SecureScanPen-Test Using SATAN, SARA and Security AnalyzerPen-Test Using STAT AnalyzerVigiLENTWebInspectEvaluating Different Types of Pen-Test ToolsAsset AuditFault Tree and Attack TreesGAP AnalysisThreatBusiness Impact of ThreatInternal Metrics ThreatExternal Metrics ThreatCalculating Relative CriticalityTest DependenciesDefect Tracking ToolsDisk Replication ToolsDNS Zone Transfer Testing ToolsNetwork Auditing ToolsTrace Route Tools and ServicesNetwork Sniffing ToolsDenial of Service Emulation ToolsTraditional Load Testing Tools

Page

��


System Software Assessment ToolsOperating System Protection ToolsFingerprinting ToolsPort Scanning ToolsDirectory and File Access Control ToolsFile Share Scanning ToolsPassword DirectoriesPassword Guessing ToolsLink Checking ToolsWeb-testing Based Scripting toolsBuffer Overflow protection ToolsFile Encryption ToolsDatabase Assessment ToolsKeyboard Logging and Screen Reordering ToolsSystem Event Logging and Reviewing ToolsTripwire and Checksum ToolsMobile-code Scanning ToolsCentralized Security Monitoring ToolsWeb Log Analysis ToolsForensic Data and Collection ToolsSecurity Assessment ToolsMultiple OS Management ToolsPhases of Penetration TestingPre-attack PhaseBest PracticesResults that can be ExpectedPassive ReconnaissanceActive ReconnaissanceAttack PhaseActivity: Perimeter TestingActivity: Web Application Testing - IActivity: Web Application Testing - IIActivity: Wireless TestingActivity: Acquiring TargetActivity: Escalating PrivilegesActivity: Execute, Implant and RetractPost Attack Phase and Activities

Page ��


For Training Requirements, Please Contact EC-Council ATC.

EC-Councilhttp://[email protected]

Ethical Hacking and Countermeasures - ZenK-Security d.attaques . Failles... · The CEH Program...

Documents

Transcript of Ethical Hacking and Countermeasures - ZenK-Security d.attaques . Failles... · The CEH Program...