Certified Ethical Hacker (CEH)

Description

Overview:

As a Certified Ethical Hacker (CEH) you will learn how to secure your systems by understanding how to scan, test, hack and secure systems in an interactive environment. Learn how intruders escalate privileges and what steps can be taken to secure systems from attacks.

Prerequisite(s):

Familiarity with security concepts such as authentication, authorization, encryption, and network attacks. Strong understanding of TCP/IP, IP Routing, LAN switching. Minimum 12 mo experience in networking or CCNA certification recommended

Audience:

This course will significantly benefit security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure.

Outline:

Lesson 1: Introduction to Ethical Hacking

• Problem Definition. Why Security?
• The Security, functionality and ease of use Triangle
• What does a Malicious Hacker do?
• What do Ethical Hackers do?
• Can Hacking be Ethical?
• How to become an Ethical Hacker.
• Ethical Hacking Testing.
• Computer Crimes and Implications.

Lesson 2: Footprinting

• Defining Footprinting.
• Information Gathering Methodology.
• Locate the Network Range.
• Footprinting Tools

Lesson 3: Scanning

• Definition of Scanning.
• Types of scanning
• Objectives of Scanning
• Scanning Methodology
• Classification of Scanning
• Hacking Tools
• IPsec Scan
• NetScan Tools pro 2003
• OS Fingerprinting
• Active Stack fingerprinting
• Passive Fingerprinting
• Proxy Servers
• Countermeasures

Lesson 4: Enumeration

• What is Enumeration?
• NetBios Null Sessions
• Null Session Countermeasures
• NetBIOS Enumeration
• Simple Network Management Protocol (SNMP) Enumeration
• SNMP Enumeration Countermeasures
• Management Information Base (MIB)
• Windows 2000 DNS Zone Transfer
• Blocking Win 2k DNS Zone Transfer
• Enumerating User Accounts
• DumpReg
• Active Directory Enumeration and Countermeasures

Lesson 5: System Hacking

• Administrator Password Guessing
• Manual Password Cracking Algorithm
• Automated Password Cracking
• Password Types
• Types of Password Attacks
• Performing Automated Password Guessing
• Password Sniffing
• Password Cracking Countermeasures
• Syskey Utility
• Cracking NT/2000 Passwords
• SMBRelay Man-in-the-Middle Scenario
• SMBRelay Weaknesses and Countermeasures
• Keystroke Loggers
• Hiding Files
• Creating Alternate Data Streams
• ADS creation and detection
• LADS (List Alternate Data Streams)
• NTFS Streams Countermeasures
• Stealing Files Using Word Documents
• Field Code Countermeasures
• Steganography
• Steganography Detection
• Covering Tracks
• Disabling Auditing and clearing Event Logs
• Dump Event Log
• RootKit
• Planting the NT/2000 RootKit
• Rootkit Countermeasures

Lesson 6: Trojans and Backdoors

• Effect on Business
• What is a Trojan?
• Overt and Covert Channels
• Working of Trojans
• Different Types of Trojans
• What Trojan Creators look for?
• Different ways a Trojan can get into a system
• Indications of a Trojan Attack
• Some famous Trojans and ports used by them
• How to determine which ports are ?Listening??
• Different Trojans found in the Wild
• Wrappers
• Packaging Tool : Wordpad
• ICMP Tunneling
• Loki Countermeasures
• Reverse WWW Shell ? Covert Channels using HTTP
• Process Viewer
• System File Verification
• Anti-Trojan
• Reverse Engineering Trojans
• Backdoor Countermeasures

Lesson 7: Sniffers

• Definition of sniffing
• How a Sniffer works?
• Passive Sniffing
• Active Sniffing
• Man-in-the-Midle Attacks
• Spoofing and Sniffing Attacks
• ARP Poisoning and countermeasures
• Network Probe
• Sniffing Countermeasures

Lesson 8: Denial of Service

• What is Denial of Service?
• Goal of DoS(Denial of Service)
• Impact and Modes of Attack
• DoS Attack Classification
• Buffer Overflow Attacks
• Distributed DOS Attacks and Characteristics
• Agent Handler Model
• IRC-Based DDoS Attack Model
• DDoS Attack taxonomy
• DDoS Tools
• Reflected DOS Attacks
• Reflection of the Exploit
• Countermeasures for Reflected DoS
• DDoS Countermeasures
• Defensive Tool: Zombie Zapper
• Worms: Slammer and MyDoom.B

Lesson 9: Social Engineering

• What is Social Engineering?
• Art of Manipulation
• Human Weakness
• Common Types of Social Engineering
• Human Based Impersonation
• Example of social engineering
• Computer Based Social Engineering
• Reverse Social Engineering
• Policies and procedures
• Security Policies-checklist

Lesson 10: Session Hijacking

• Understanding Session Hijacking
• Spoofing vs Hijacking
• Steps in Session Hijacking
• Types of Session Hijacking
• TCP Concepts 3 Way Handshake
• Sequence numbers
• Remote TCP Session Reset Utility
• Dangers Posed by Session Hijacking
• Protection against Session Hijacking
• Countermeasures: IP Security

Lesson 11: Hacking Web Servers

• How Web Servers Work?
• How are Web Servers Compromised?
• Popular Web Servers and Common Security Threats
• Apache Vulnerability
• Attack against IIS
• IIS Components
• Sample Buffer Overflow Vulnerabilities
• ISAPI.DLL Exploit
• Code Red and ISAPI.DLL Exploit
• Unicode
• Unicode Directory Traversal Vulnerability
• Msw 3prt IPP Vulnerability
• IPP Buffer Overflow Countermeasures
• Unspecified Executed Path Vulnerability
• File System Traversal Countermeasures
• WebDAV/ ntdll.dll Vulnerability
• RPCDCOM Vulnerability
• ASN Exploits
• IIS Logs
• Network Tool: Log Analyzer
• Hacking Tool: Clean IISLog
• Escalating Privileges on IIS
• Microsoft IIS 5.0 – 5.1 remote denial of service Exploit Tool
• Microsoft Frontpage Server Extensions fp30reg.dll Exploit Tool
• GDI+ JPEG Remote Exploit Tool
• Windows Task Scheduler Exploit Tool
• Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit Tool
• Hot Fixes and Patches
• Vulnerability Scanners
• Network Tools
• Countermeasures
• Increasing Web Server Security

Lesson 12: Web Application Vulnerabilities

• Web Application Set-up
• Web Application Hacking
• Anatomy of an Attack
• Web Application Threats
• Cross Site Scripting/XSS Flaws
• Countermeasures
• SQL Injection
• Command Injection Flaws
• Countermeasures
• Cookie/Session Poisoning
• Countermeasures
• Parameter/Form Tampering
• Buffer Overflow
• Countermeasures
• Directory Traversal/Forceful Browsing
• Countermeasures
• Cryptographic Interception
• Authentication Hijacking
• Countermeasures
• Log Tampering
• Error Message Interception
• Attack Obfuscation
• Platform Exploits
• Internet Explorer Exploits
• DMZ Protocol Attacks
• DMZ
• Countermeasures
• Security Management Exploits
• Web Services Attacks
• Zero Day Attacks
• Network Access Attacks
• TCP Fragmentation
• Hacking Tools:
• Burp: Positioning Payloads
• Burp: Configuring Payloads and Content Enumeration
• Burp
• Burp Proxy: Intercepting HTTP/S Traffic
• Burp Proxy: Hex-editing of Intercepted Traffic
• Burp Proxy: Browser Access to Request History
• Carnivore
• Google Hacking

Lesson 13: Web Based Password Cracking Techniques

• Authentication- Definition
• Authentication Mechanisms
• HTTP Authentication
• Basic Authentication
• Digest Authentication
• Integrated Windows (NTLM) Authentication
• Negotiate Authentication
• Certificate-based Authentication
• Forms-based Authentication
• Microsoft Passport Authentication
• What is a Password Cracker?
• Modus Operandi of an Attacker using Password Cracker
• How does a Password Cracker work?
• Attacks- Classification
• Password Guessing
• Query String
• Cookies
• Dictionary Maker

Lesson 14: SQL Injection

• Attacking SQL Servers
• SQL Server Resolution Service (SSRS)
• Osql-L Probing
• Port Scanning
• Sniffing, Brute Forcing and finding Application Configuration Files
• Database Scanner
• Input Validation Attack
• Login Guessing & Insertion
• Shutting Down SQL Server
• Extended Stored Procedures
• SQL Server Talks
• Preventive Measures

Lesson 15: Hacking Wireless Networks

• Introduction to Wireless Networking
• Business and Wireless Attacks
• Wireless Basics
• Components of Wireless Network
• Types of Wireless Network
• Setting up WLAN
• Detecting a Wireless Network
• How to access a WLAN
• Advantages and Disadvantages of Wireless Network
• Antennas
• SSIDs
• Access Point Positioning
• Rogue Access Points
• What is Wireless Equivalent Privacy (WEP)?
• WEP Tool:
• Related Technology and Carrier Networks
• MAC Sniffing and AP Spoofing
• Terminology
• Denial of Service Attacks
• Man-in-the-Middle Attack (MITM)
• Multi Use Tool: THC-RUT
• Tool: WinPcap
• Auditing Tool: bsd-airtools
• WIDZ- Wireless Detection Intrusion System
• Securing Wireless Networks
• Out of the box Security
• Radius: Used as Additional layer in security
• Maximum Security: Add VPN to Wireless LAN

Lesson 16: Virus and Worms

• Virus Characteristics
• Symptoms of ?virus-like? attack
• What is a Virus Hoax?
• Terminologies
• How is a worm different from virus?
• Indications of a Virus Attack
• Virus History
• Virus damage
• Effect of Virus on Business
• Access Methods of a Virus
• Mode of Virus Infection
• Life Cycle of a virus
• What Virus Infect?
• How virus infect?
• Writing a simple virus program.
• Writing DDOS Zombie Virus
• Virus Construction Kits
• Virus Creation Scripts
• Virus Detection Methods
• Virus Incident Response
• What is Sheep Dip?
• Prevention is better than Cure
• Anti-Virus Software
• Popular Anti-Virus packages
• Virus Analyzers

Lesson 17: Physical Security

• Security statistics
• Physical Security breach incidents
• Understanding Physical Security
• What is the need of Physical Security?
• Who is Accountable for Physical Security?
• Factors affecting Physical Security
• Physical Security checklist
• Company surroundings
• Premises
• Reception
• Server
• Workstation Area
• Wireless Access Points
• Other Equipments such as fax, removable media etc
• Access Control
• Computer Equipment Maintenance
• Wiretapping
• Remote access
• Lock Picking Techniques
• Spying Technologies

Lesson 18: Linux Hacking

• Why Linux?
• Linux basics
• Chrooting
• Why is Linux Hacked?
• Linux Vulnerabilities in 2003
• How to apply patches to vulnerable programs
• Scanning Networks
• Password cracking in Linux.
• ipchains vs. ipfwadm
• How to Organize Firewall Rules
• Security Auditor?s Research Assistant (SARA)
• TCP Wrappers
• Linux Loadable Kernel Modules
• Rootkit countermeasures:
• Advanced Intrusion Detection System (AIDE)
• Linux Security testing tools
• NMap
• LSOF
• Netcat
• Nemesis
• Linux tools: Log and traffic monitors:
• Linux Security Auditing Tool (LSAT)
• Linux Security countermeasures

Lesson 19: Evading Firewalls, IDS and Honeypots

• Intrusion Detection Systems
• Ways to Detect Intrusion
• Types of Intrusion Detection System
• Intrusion Detection Tools
• Steps to perform after an IDS detects an intrusion
• Evading IDS systems
• Tools to Evade IDS
• Introduction to Firewalls
• Firewall Identification
• Firewalking
• Banner Grabbing
• Breaching Firewalls
• Placing Backdoors through Firewalls
• Hiding Behind Covert Channel: Loki
• ACK tunneling
• Tools for testing IDS and Firewalls
• Introduction to Honeypots
• Honeypot Project
• Types of Honeypots
• Honeypot: Specter
• Honeypot: Honeyd
• Honeypot: KFSensor
• Hacking Tool: Sebek
• Tools to Detect Honeypot
• Send-Safe Honeypot Hunter
• Nessus Security Scanner

Lesson 20: Buffer Overflows

• Significance of Buffer Overflow Vulnerability
• Why are Programs/Applications Vulnerable?
• Buffer Overflows
• Reasons for Buffer Overflow Attacks
• Knowledge required writing Buffer Overflow Exploits
• How a Buffer Overflow occurs?
• Understanding Stacks
• Stack Implementation
• Stack based buffer overflow
• Shellcode
• Heap Based buffer overflow
• How to detect Buffer Overflows in a Program?
• Attacking a real program
• NOPS
• How to mutate a Buffer Overflow Exploit? featuring ADMutate
• Countermeasures
• Return Address Defender (RAD)
• StackGuard
• Immunix System
• Vulnerability Search – ICAT

Lesson 21: Cryptography

• Public-key Cryptography
• Working of Encryption
• Digital Signature
• Digital Certificate
• RSA (Rivest Shamir Adleman)
• RSA Attacks
• Brute forcing RSA factoring
• Esoteric attack
• Chosen cipher text attack
• Low encryption exponent attack
• Error analysis
• Other attacks
• MD5
• SHA (Secure Hash Algorithm)
• SSL (Secure Socket Layer)
• RC5
• What is SSH?
• Government Access to Keys (GAK)
• RSA Challenge
• distributed.net
• PGP (Pretty Good Privacy)
• Code Breaking Methodologies
• Using Brute Force
• Frequency Analysis
• Trickery and Deceit
• One-Time Pad
• Cryptography Attacks
• Disk Encryption
• Cracking S/MIME Encryption using idle CPU Time
• Command Line Scriptor

Lesson 22: Penetration Testing – Part 1

• Need for a Methodology
• Penetration Test vs. Vulnerability Test
• Reliance on Checklists and Templates
• Phases of Penetration Testing
• Passive Reconnaissance
• Best Practices
• Results that can be expected
• Indicative passive reconnaissance steps include (but are not limited to)
• Introduction to Penetration Testing
• Type of Penetration Testing Methodologies
• Open Source Vs Proprietary Methodologies
• Security Assessment Vs Security Auditing
• Risk Analysis
• Types of Penetration Testing
• Types Ethical Hacking
• Vulnerability Assessment Vs Penetration Testing
• Do-it Yourself Testing
• Firms Offering Penetration Testing Services
• Penetration Testing Insurance
• Explication of Terms of Engagement
• Pen-Test Service Level Agreements
• Offer of Compensation
• Starting Point and Ending Points of Testing
• Penetration Testing Locations
• Black Box Testing
• White Box Testing
• Grey Box Testing
• Manual Penetration Testing
• Automated Penetration Testing
• Selecting the Right Tools
• Pen Test Using Appscan
• Evaluating Different Types of Pen-Test Tools
• Platform on Which Tools Will be Used
• Asset Audit
• Fault Tree and Attack Trees
• GAP Analysis
• Device Inventory
• Perimeter Firewall Inventory
• Web Server Inventory
• Load Balancer Inventory
• Local Area Network Inventory
• Demilitarized Zone Firewall
• Internal Switch Network Sniffer
• Application Server Inventory
• Database Server Inventory
• Name Controller and Domain Name Server
• Physical Security
• ISP Routers
• Legitimate Network Traffic Threat
• Unauthorized Network Traffic Threat
• Unauthorized Running Process Threat
• Loss of Confidential Information
• Business Impact of Threat
• Pre-testing Dependencies
• Post-testing Dependencies
• Failure Management
• Test Documentation Processes
• Penetration Testing Tools
• Defect Tracking Tools
• Configuration Management Tools
• Disk Replication Tools
• Pen-Test Project Scheduling Tools
• Network Auditing Tools
• DNS Zone Transfer Testing Tools
• Trace Route Tools and Services
• Network Sniffing Tools
• Denial of Service Emulation Tools
• Traditional Load Testing Tools
• System Software Assessment Tools
• Operating System Protection Tools
• Fingerprinting Tools
• Port Scanning Tools
• Directory and File Access Control Tools
• File Share Scanning Tools
• Password Directories
• Password Guessing Tools
• Link Checking Tools
• Web site Crawlers
• Web-Testing based Scripting Tools
• Buffer Overflow Protection Tools
• Buffer Overflow Generation Tools

Lesson 23: Penetration Testing – Part 2

• Input Data Validation Tools
• File encryption Tools
• Database Assessment Tools
• Keyboard Logging and Screen Reordering Tools
• System Event Logging and Reviewing Tools
• Tripwire and Checksum Tools
• Mobile-Code Scanning Tools
• Centralized Security Monitoring Tools
• Web Log Analysis Tools
• Forensic Data and Collection Tools
• Security Assessment Tools
• Multiple OS Management Tools
• SANS Institute TOP 20 Security Vulnerabilities
• All Operating System Platforms
• Default installs of operating systems and applications
• Accounts with no passwords or weak passwords
• Nonexistent or incomplete backups
• Large number of open ports
• Not filtering packets for correct incoming and outgoing addresses
• Nonexistent or incomplete logging
• Vulnerable Common Gateway Interface (CGI) programs
• Windows-specific
• Unicode vulnerability-Web server folder traversal
• Internet server application programming interface (ISAPI) extension buffer overflows
• IIS Remote Data Services (RDS) exploit
• Network Basic Input Output System (NetBIOS), unprotected Windows networking shares
• Information leakage via null session connections
• Weak hashing in SAM (Security Accounts Manager)-LanManager hash
• UNIX-specific
• Buffer overflows in Remote Procedure Call (RPC) services
• Sendmail vulnerabilities
• Bind weaknesses
• Remote system command (such as rcp, rlogin, and rsh) vulnerabilities
• Line Printer Daemons (LPD) vulnerabilities
• Sadmind and mountd exploits
• Default Simple Network Management Protocol (SNMP) strings
• Penetration Testing Deliverable Templates
• Test Status Report Identifier
• Test Variances
• Test Comprehensive Assessment
• Summary of Results (Incidents)
• Test Evaluation
• Names of Persons (Approval)
• Template Test Incident Report
• Template Test Log
• Active Reconnaissance
• Attack Phase
• Activity: Perimeter Testing
• Activity: Web Application Testing – I
• Activity: Web Application Testing – II
• Activity: Wireless Testing
• Activity: Acquiring Target
• Activity: Escalating Privileges
• Activity: Execute, Implant & Retract
• Post Attack Phase & Activities
• Automated Penetration Testing Tool – CORE Impact