|
Introduction
Courseware Materials Who is this class for? What information will be covered?
Incident Handling Explained
What is Incident Handling? What is a security event? Common Security Events of Interest What is a security incident? What is an incident response plan? When does the plan get initiated? Common Goals of Incident Response Management Six step approach to Incident Handling
Preparation
Goal Be Prepared The Incident Response Plan Identify Incident Response Team Roles of the Incident Response Team IRT Team Makeup Challenges of building an IRT Incident Response Training and Awareness Jump Kit Prepare Your Sites and Systems Practical Advice
Identification and Initial Response
Goal Three Basic Steps Step 1 - Receive Examples of Electronic Sensors Examples of Human Sensors Step 2 - Collect Step 3 - Analyze Analyze - First Steps Basic Incident Response Steps Proper Evidence Handling
Containment
Goal Onsite Response Secure the Area Conduct Research Make Recommendations Establish Intervals Capture Digital Evidence Change Passwords
Eradication
Goal Determine Cause Defend Against Follow-on Attacks More Defenses Analyze Threat and Vulnerability Remove the Cause of the Incident Restore System(s) to Operation
Recovery
Goal Report Findings Restore System Verify Decide Monitor Systems
Follow Up
Goal Develop Follow-up Report Follow-Up Report
Linux Fundamentals
Overview Linux History: Linus + Minix = Linux The GNU Operating System Linux Introduction Linux GUI Desktops Linux Shell Linux Bash Shell Recommended Linux Book
Password & Shadow File Formats User Account Management Instructor Demonstration Changing a User Account Password Configuring Network Interfaces with Linux Mounting Drives with Linux Tarballs and Zips Compiling Programs in Linux Typical Linux Operating Systems Gentoo = Simple Software Install Portal Why Use Live Linux Boot CDs FrozenTech’s Complete Distro List Most Popular: BackTrack BackTrack3 June 19th Updates Review
Reconnaissance
Overview What Information is gathered by the Hacker? Methods of Obtaining Information Physical Access Social Access Social Engineering Techniques www.myspace.com Facebook www.facebook.com Others From Around the World Identity Theft and MySpace Instant Messengers and Chats Digital Access Passive vs. Active Reconnaissance Footprinting defined Maltego Maltego GUI Firecat v1.5 FireFox Fully Loaded Footprinting tools Johnny.Ihackstuff.com Google and Query Operators Google (cont.) Instructor Demonstration SPUD: Google API Utility Tool Instructor Demonstration Blogs, Forums & Newsgroups Internet Archive: The WayBack Machine Domain Name Registration WHOIS WHOIS Output Instructor Demonstration http://www.dirk-loss.de/onlinetools
Instructor Demonstration Dnsstuff.com performs various searches, including WHOIS searches. Instructor Demonstration DNS Databases Using Nslookup Dig for Unix / Linux Traceroute Operation Visual Mapping Instructor Demonstration People Search Engines EDGAR For USA Company Info Company House For British Company Info http://www.companieshouse.gov.uk/ Client Email Reputation Intelius info and Background Check Tool Web Server Info Tool: Netcraft Countermeasure: Domainsbyproxy.com Footprinting Countermeasures Review
The Art of Scanning
Overview Introduction to Port Scanning Port Scan Tips Expected Results Tools: Organizing Results Leo meta-text editor Instructor Demo: Leo Free Mind: Mind mapping IHMC CmapTools Popular Port Scanning Tools Stealth Online Ping NMAP: Is the Host On-line ICMP Disabled? NMAP TCP Connect Scan TCP Connect Port Scan Nmap (cont.) Tool Practice : TCP half-open & Ping Scan Half-open Scan Firewalled Ports Iron Geek NMAP Service Version Detection Additional NMAP Scans Saving NMAP results NMAP UDP Scans UDP Port Scan Advanced Technique Tool: Superscan Tool: Look@LAN
Tool: Hping2 Tool: Auto Scan OS Fingerprinting: Xprobe2 Xprobe2 Options What Is Fuzzy Logic? Tool: P0f – Passive OS Finger Printing Utility Tool Practice: Amap Tool Fragrouter: Fragmenting Probe Packets Countermeasures: Scanning Scanning Tools Summary Review
Hacking Wireless Networks
Overview Standards Comparison SSID (Service Set Identity) MAC Filtering Wired Equivalent Privacy Weak IV Packets XOR - Basics WEP Weaknesses How WPA improves on WEP TKIP The WPA MIC Vulnerability 802.11i - WPA2 WPA and WPA2 Mode Types WPA-PSK Encryption LEAP LEAP Weaknesses NetStumbler War Driving With KNSGEM Vistumbler Tool: Kismet Analysis Tool: OmniPeek Personal Omni Peek Console Instructor Demonstration Tool: Aircrack-ng Suite Tool: Airodump-ng Tool: Aireplay DOS: Deauth/disassociate attack Tool: Aircrack Aircrack for Windows Attacking WEP Attacking WPA coWPAtty Exploiting Cisco LEAP asleap WiFiZoo Wesside-ng www.wirelessdefence.org
Typical Wired/Wireless Network 802.1X: EAP Types EAP Advantages/Disadvantages EAP/TLS Deployment New Age Protection Review IDS Evasion Covering Tracks Overview Disabling Auditing Clearing an Event Log Hiding Files with NTFS Alternate Data Stream NTFS Streams Countermeasures Stream Explorer Logs and Auditing Logs and Auditing Tor: Anonymous Internet Access How Tor Works How Tor Works How Tor Works Encrypted Tunnel Notes Linux Shell Linux Bash Shell Protocols Overview OSI – Application Layer OSI – Presentation Layer OSI – Session Layer Transport Layer OSI – Network Layer OSI – Data Link OSI – Physical Layer Protocols at Each OSI Model Layer TCP/IP Suite Port and Protocol Relationship Conceptual Use of Ports UDP versus TCP Protocols – ARP Protocols – ICMP Network Service – DNS SSH Security Protocol SSH Protocols – SNMP Protocols – SMTP Example Packet Sniffers Sniffer Detection using Cain & Abel Active Sniffing Methods Linux Tool Set:Dsniff Suite Dsniff Operation Countermeasures for Sniffing What is Steganography?
Steganography Tools Shredding Files Left Behind Leaving No Local Trace More Anonymous Software StealthSurfer Privacy Stick Vulnerability Scanning Overview Vulnerabilities in Network Services Vulnerabilities in Networks Staying Abreast: Security Alerts Vulnerability Scanners Nessus Nessus Report Tool: LANguard Instructor Demonstration Vulnerability Scanners Examples Microsoft Baseline Analyzer MBSA Scan Report Network Level Attacks Overview IP Spoofing Ingress Filtering ARP Cache Poisoning ARP Normal Operation ARP Cache Poisoning ARP Cache Poisoning (Linux) Countermeasures What is DNS spoofing? Tools: DNS Spoofing TCP Connect Port Scan TCP 3-Way Handshake TCP Flags Session Hijacking 4 methods continued Methods to Prevent Session Hijacking Buffer OverFlows Buffer Overflow Definition Overflow Illustration How Buffers and Stacks Are Supposed to Work Stack Function How a Buffer Overflow Works Buffer Overflows Heap Spraying Prevention Example Packet Sniffers Tool: Pcap & WinPcap
Tool: Wireshark TCP Stream Re-assembling Wireshark can re-create any TCP session. Tool: Packetyzer tcpdump & windump Tool: OmniPeek Sniffer Detection using Cain & Abel Promiscuous-mode Scanner Active Sniffing Methods Switch Table Flooding ARP Cache Poisoning ARP Normal Operation ARP Cache Poisoning (Linux) Countermeasures Tool: Cain and Abel Ettercap Linux Tool Set:Dsniff Suite Dsniff Operation MailSnarf, MsgSnarf, FileSnarf What is DNS spoofing? Tools: DNS Spoofing Session Hijacking Breaking SSL Traffic Tool: Breaking SSL Traffic Tool: Cain and Abel Voice over IP (VoIP) Intercepting VoIP Intercepting RDP Cracking RDP Encryption Routing Protocols Analysis Countermeasures for Sniffing Evading The Firewall and IDS Evasive Techniques Firewall – Normal Operation Evasive Technique -Example Evading With Encrypted Tunnels Newer Firewall Capabilities ‘New Age’ Protection Networking Device – Bastion Host SpySnare - Spyware Prevention System (SPS) Intrusion ‘SecureHost’ Overview Intrusion Prevention Overview Review Hacking Linux Systems Overview Introduction File System Structure Kernel Processes
Starting and Stopping Processes Interacting with Processes ACCOUNTS AND GROUPS Password & Shadow File Formats Accounts and Groups Linux and UNIX Permissions Set UID Programs Trust Relationships Logs and Auditing Common Network Services Remote Access Attacks Brute-Force Attacks Brute-Force Countermeasures X Window System X Insecurities Countermeasures Network File System (NFS) NFS in Action NFS Countermeasures Passwords and Encryption Password Cracking Tools Salting Symbolic Link Symlink Countermeasure Core File Manipulation Shared Libraries Kernel Flaws File and Directory Permissions SUID Files Countermeasure File and Directory Permissions World-Writable Files Countermeasure Clearing the Log Files Rootkits Rootkit Countermeasures Review Hacking Windows Systems Overview Types of Password Attacks Keystroke Loggers Password Guessing Password Cracking LM/NTLM Hashes LM Hash Encryption NT Hash Generation Syskey Encryption Instructor Demonstration Cracking Techniques Precomputation Detail Creating Rainbow Tables Free Rainbow Tables NTPASSWD:Hash Insertion Attack
Password Sniffing Windows Authentication Protocols Hacking Tool: Kerbsniff & KerbCrack Countermeasure: Monitoring Event Viewer Log Hard Disk Security Free HD Encryption Software Breaking HD Encryption Tokens & Smart Cards Smart Cards Covering Tracks Overview Disabling Auditing Clearing an Event Log Hiding Files with NTFS Alternate Data Stream Instructor Demonstration NTFS Streams Countermeasures Stream Explorer What is Steganography? Instructor Demonstration Steganography Tools Shedding Files Left Behind Leaving No Local Trace More Anonymous Software StealthSurfer Privacy Stick Tor: Anonymous Internet Access How Tor Works Instructor Demonstration Encrypted Tunnel Notes: Hacking Tool: RootKit Windows RootKit Countermeasures Review Advanced Code and Application Attack Techniques Overview How Do Exploits Work? Format String Race Conditions Memory Organization Buffer OverFlows Buffer Overflow Definition Overflow Illustration Stack Function How a Buffer Overflow Works Heap Overflows Heap Spraying Prevention Security Code Reviews Stages of Exploit Development Shellcode Development
The Metasploit Project Defense in Depth Meterpreter Fuzzers Instructor Demonstration Review Password Cracking Password Guessing Password Cracking LM/NTLM Hashes Passwords and Encryption Popular Password Crackers Password Cracking Tools John the Ripper One-Time Password Rule-Based Attack L0phtCrack Ophcrack Brutus Precomputation Detail Creating Rainbow Tables Free Rainbow Tables Cain Tool: Enumeration with Cain and Abel Enumeration Enumeration Overview Web Server Banners Practice: Banner Grabbing with Telnet SuperScan 4 Tool: Banner Grabbing HTTPrint SMTP Server Banner DNS Enumeration Zone Transfers from Windows 2000 DNS Backtrack DNS Enumeration Instructor Demonstration Countermeasure: DNS Zone Transfers SNMP Insecurity SNMP Enumeration Tools SNMP Enumeration Countermeasures Active Directory Enumeration LDAPMiner AD Enumeration Countermeasures Null sessions Syntax for a Null Session Viewing Shares Tool: DumpSec NAT Dictionary Attack Tool THC-Hydra
Null Session Countermeasures Enumeration Tools Summary Review Attacking Web Technologies and Applications Overview Web Server Market Share Common Web Application Threats Progression of the Professional Hacker The Anatomy of a Web Application Attack Components of a Generic Web Application System Query String URL mappings to the web application system Web Application Penetration Methodologies Changing URL Login Parameters Cross-Site Scripting (XSS) Stored Cross-Site Scripting Illustrated Reflected Cross Site Scripting Illustrated Business Impacts of XSS Finding and Fixing XSS Injection Flaws Unvalidated Input Unvalidated Input Illustrated Business Impacts of Unvalidated Input Finding and Fixing Un-validated Input Attacks against IIS IIS Directory Traversal Unicode IIS Logs Unicode Example Assessment Tool: Stealth HTTP Scanner Instructor Demonstration NTOSpider HTTrack Tool: Copying the website offline Wikto Tool: Paros Proxy Instructor Demonstration Tool: Burp Proxy Dictionary Maker Cookies Acunetix Web Scanner OWASP WebScarab A Web Application Testing Proxy Samurai Web Testing Framework Review
Database Exploitation
Overview Vulnerabilities and Common Attacks SQL Injection Business Impacts of SQL Injection Why SQL “Injection”? SQL Injection: Enumeration SQL Extended Stored Procedures Direct Attacks SQL Connection Properties Attacking Database Servers Obtaining Sensitive Information Hacking Tool: SQL Ping 3 Hacking Tool: osql.exe Hacking Tool: Query Analyzers Hacking Tool: SQLExec www.petefinnegan.com Hacking Tool: Metasploit Finding and Fixing SQL Injection Hardening Databases Review Denial-of-Service Attack Effects of DoS Attacks DDoS Issues Permanent Denial of Service Attack DDoS Attack DDoS Pulsing Zombie Reflected Attack Fork Bomb Backscatter Resource Starvation Livelock Banana Attack Nuke Non-Repudiation SQL Slammer Worm FIN Scan Idle Scan SYN Floods Smurf Attack Malware Goes Undercover Overview Distributing Malware Malware Capabilities Auto starting Malware Countermeasure: Monitoring Autostart Methods Tool: Netcat
Netcat Switches Netcat as a Listener Instructor Demonstration Executable Wrappers Instructor Demonstration Benign EXE’s Historically Wrapped with Trojans Tool: Restorator Tool: Exe Icon The Infectious CD-Rom Technique Trojan: Backdoor.Zombam.B Trojan: JPEG GDI+ All in One Remote Exploit Advanced Trojans: Avoiding Detection BPMTK Malware Countermeasures Gargoyle Investigator Spy Sweeper Enterprise CM Tool: Port Monitoring Software CM Tools: File Protection Software CM Tool: Windows File Protection CM Tool: Windows Software Restriction Policies Company Surveillance Software CM Tool: Hardware-based Malware Detectors Countermeasure: User Education Review Maintaining Access Trojan Horses Types of Trojans Trojan Engines Trojan Vectors System Integrity Verifiers Back Orifice Trojan Trojan.Lodear Win32/FlyStudio Win32/Pacex.Gen Win32/PSW.OnLineGames WMA/TrojanDownloader.GetCodec Qaz Types of Malware Types of Malware Cont... Types of Viruses More Malware: Spyware Benign EXE’s Historically Wrapped with Trojans The Infectious CD-Rom Technique Trojan: Backdoor.Zombam.B Trojan: JPEG GDI+ All in One Remote Exploit
Advanced Trojans: Avoiding Detection Malware Countermeasures Rootkits Rootkits Hacking Tool: RootKit Windows RootKit Countermeasures Rootkit Countermeasures Adore chkrootkit Firmware rootkit Kernel-level rootkits Application Level Rootkit Boot Loader Rootkit rkhunter Kernel Flaws Instructor Demonstration Covering the Tracks Overview Disabling Auditing Clearing an Event Log Hiding Files with NTFS Alternate Data Stream NTFS Streams Countermeasures Stream Explorer Logs and Auditing Tor: Anonymous Internet Access Encrypted Tunnel Notes Linux Shell Linux Bash Shell Protocols Overview OSI – Application Layer OSI – Presentation Layer OSI – Session Layer Transport Layer OSI – Network Layer OSI – Data Link OSI – Physical Layer Protocols at Each OSI Model Layer TCP/IP Suite Port and Protocol Relationship Conceptual Use of Ports UDP versus TCP Protocols – ARP Protocols – ICMP Network Service – DNS SSH Security Protocol SSH Protocols – SNMP Protocols – SMTP Example Packet Sniffers
|