EC Council Certified Ethical Hacker v9.0

EC Council Certified Ethical Hacker v9.0

Intrusion Prevention and Detection System Basics. An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits.

Intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network.

FireEye products,

LightCyber,

Rapid7 / Nexpose

OpenVAS tools

EC Council Certified Ethical Hacker v9.0

FireEye products,

LightCyber,

Rapid7 / Nexpose

OpenVAS tools

1. Welcome (4 min)

2. Building a LAB: Concepts (6 min)

3. Building a LAB: Networking (9 min)

4. Deploy a Kali Linux VM (14 min)

5. Adding Metasploitable to Your Lab (11 min)

6. Adding Windows to Your Lab (14 min)

7. Configure a Static IP on Kali (5 min)

8. Windows Evaluations (7 min)

9. Deploy Windows 8.1 (15 min)

10. Deploy Windows 2012 (11 min)

11. Deploy Windows 10 (7 min)

12. Deploy Windows 2016 (7 min)

13. Ethics and Hacking (10 min)

Classes of Hackers

a) Black Hat (unauthorized use)

b) White Hat (Authorized Testing with permission)

c) Gray Hat ( Go both ways, Day time White, Night Black Hackers)

d) Suicide Hacker (Don't care about Law and consciences )

e) Script Kidde (Brand New / use other script)

f) Cyber Terrorist (hack under the name of religion or organization)

g) State Sponsored Hacker (Hired by Country to Attack for their National Interest)

h) Hackivist (Political Agenda)

Security Vs Hacking

· Intrusion detection system

· Methodologies that hacker might using

· Control / Secure the network

EC-Council

· E-commerce Consultant Council (ECC)

· Code of ethics

14. Hacking Vocabulary (6 min)

a) Vulnerability: Weakness in the device configuration / implementation

b) Exploit: Hacker breach of the weakness

c) Payload: component of the attack; shutting down system or make it unreachable; Payload is the part of the code which is doing malicious activity.

d) Zero day attack: Vulnerability exist in the device software and vendor do not have patch available to fixed the vulnerability. (Windows / Cisco)

e) Daisy Chaining: getting access to one computer of the network and separating that attack to the network and finally reaching to DMZ

f) Doxing: publishing personally identifiable information (PII) about individual

g) BOT: Software application used remotely to attack (DOS)

h) BOT- NET: Multiple computer used to attack (ICMP request) (DDOS)

i) Banner Grabbing: Banner grabbing is a technique used to glean information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network.

j) Reconnaissance: Gather information

o Active Reconnaissance: interacting direct with the target/ Job interview/ phone call

o Passive Reconnaissance: secret gathering information; company Public data; social media pages

k) CIA : Confidentiality Integrity Availability

l) Security Account Manager (SAM) is a database file[1] in Windows XP, Windows Vista and Windows 7 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent forbidden users to gain access to the system.

m) MITM: Man in the Middle Attack

15. InfoSec Concepts (5 min)

Information Security

Security make less easy to use the system and slow down the system because layers and layers of protection

3 Aspects:

I. Functionality:

II. Usability:

III. Security: More Security than less Functionality and more Usability

Security: will Avoid Theft; Tampering; Disruption

CIA : Confidentiality Integrity Availability

a) Confidentiality: one individual will see the data on disk / network

b) Integrity : trust worthiness of data/ Authenticity / Non-repudiation

c) Availability: Authorize user should have access to the data.

16. Attack Categories, Types, and Vectors (5 min)

Attack Vectors:

a) APT Advanced persistent threats: very advance, long term, special coding

b) Botnets: multiple computer attack

c) Cloud Computing: Weak link

d) Insider Attack: Ex employee attack

e) Mobile Threat: using wireless network

f) Virus: flash drive or click on the link

Attack Type:

a) OS attack

b) Device Mis-configuration attack

c) Application Level attack: SQL injection

d) Shrink-wrap / Default: using Default password

17. Five Phases of Hacking (5 min)

5 phase of hacking:

1) Reconnaissance: Gather information

a) Active Reconnaissance: interacting direct with the target/ Job interview/ phone call

b) Passive Reconnaissance: secret gathering information; company Public data; social media pages

2) Scanning: Port, Network, Vulnerability scanning, OS

3) Gain Access: gain access, Contractor access, Spread access to network computer

4) Maintaining Access: for future attacks

5) Clearing Tracks: go unnoticed

18. Footprinting and Reconnaissance Concepts (11 min)

Collect information

· Google Search Engine

· Cache websites

· Netcraft : OS using

· Any Who: People

· Maps / Satellite images:

· Market value / profile

· Job site/ Hiring Java programmer / technology using

· Forum / Social Media Website

· Google Hacking: advance Google search

· Company website: HTML source / Notes by Developer

· Email messages Header

· Whois.net

· DNS to IP address

· Network Mapping

· Social Engineering:

19. Search Engine Tools (8 min)

· Google, Yahoo, Bing, duck duck,

· Cached Sites: Archive.org

· Map sites

· People anywho.com

· Job search sites

· Third party: netcraft; OS and Technology

· Google incognito

20. Hacking using Google (12 min)

a) Google Advance Search

b) Google Hacking Database

21. Website Recon Tools (13 min)

· FireBug: HTML details

· Web Data : download information from the website; email address/ content

· HTTrack---Mirror whole website

22. Metagoofil Metadata Tool (3 min)

· Metagoofil: Kali tool; look for pdf / doc files on the website/ total no of documents

23. Email Headers for Footprinting (5 min)

· Email: email header

· Email tracker pro

24. Using WHOIS for Recon (4 min)

· Smartwhois

· Whois

25. DNS Tools (12 min)

· List of dns record type

· Nslookup (Kali)

o Set type=aaa

o www.xyz

o Set type = mx mail server

· Network-tools.com

26. Network Scanning Overview (3 min)

· Ping

· Nmap –sn

· Looks for open ports

· Banner Grabbing: Banner grabbing is a technique used to glean information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network.

27. Network Scanning Methodology (9 min)

28. Port Discovery (11 min)

29. Network Scanning Tools (3 min)

30. Stealth Idle Scanning (10 min)

31. OS and Application Fingerprinting (10 min)

32. Vulnerability Scanning (8 min)

· Nessus: tenable.com

33. Network Mapping Tools (5 min)

· Network topology mapper solarwinds.com

34. Proxy Servers (8 min)

· Proxy work bench

35. Using Public Proxy Services (6 min)

· Proxy switcher.com

36. Enumeration Concepts (5 min)

37. NetBIOS Enumeration (11 min)

· Net BIOS Wiki

· Net BIOS suffix Wiki

· NetBIOS over TCP/IP Wiki

· Net command

· Netstat command

· Net BIOS enumerator

38. SNMP Enumeration Concepts (10 min)

39. SNMP Enumeration Tools (10 min)

· Ip network browser

40. LDAP Enumeration Concepts (5 min)

· LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.

· LDAP uses TCP Port 389/636

· Look for user with ADMIN Role

· JXEXPLOER.ORG

41. LDAP Enumeration Example (7 min)

42. NTP Enumeration (7 min)

· Network Time Protocol

· UDP : 123

· Time LOG

· Digital cert.

· Active directory

43. SMTP Enumeration (8 min)

· Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (email) transmission. First defined by RFC 821 in 1982, it was last updated in 2008 with the Extended SMTP additions by RFC 5321—which is the protocol in widespread use today. SMTP by default uses TCP port 25.

· Ports: POP3 TCP:110 /995; IMAP: TCP 143 / 993; SMTP TCP:25

· Login/username as email address

· NSLOOKUP SMTP.COX.NET

· telnet SMTP.COX.NET 25

· SMTP Commands WIKI

· TARPIT attack ,,,, slow down SMTP server

· SMTP-User-ENUM –M RCPT –u bob.cox.net –t SMTP.COX.NET ‘’’’’ USER Exits

44. System Hacking Overview (9 min)

Stages:

Goals:

· Bypass Controls:

o Password Attacks

§ Non Electronic attacks Social

§ Active Online attacks/ Malware/ Using Software

§ Passive Inline Attacks: Packet Captures/ Man in the Middle Attacks

§ Offline attacks: password files / Default password

· Get Access Rights

o Escalating Privileges

· Maintain Remote ACCESS

o Back door

o Key-logger

o Root Kits

· Hide Activities

o Covering Tracks

o Record Audio

o VOIP recording

o Activate Camera

45. Password Cracking Concepts (10 min)

· Social Engineering

· Recovery System: Like Cisco, Password Recovery

· Weak, Simple or Default Password

· Dictionary vs Brute Force

· Torjan / Spyware / Key logger

· Sniffing or MITM (Man in the middle)

· Rainbow Tables

· SAM

46. Password Attack Example: MITM and Sniffing (13 min)

47. Rainbow Crack Lab Setup (8 min)

48. Rainbow Crack Demonstration (8 min)

49. Password Reset Hacking (8 min)

50. DHCP Starvation (10 min)

51. Remote Access (15 min)

52. Spyware (9 min)

53. NTFS Alternate Data Streams Exploit (9 min)

54. Steganography with OpenPuff (7 min)

55. Steganography with SNOW (5 min)

56. Covering Tracks (7 min)

57. Malware Overview (10 min)

58. Trojan Overview (10 min)

59. Creating a Trojan (11 min)

60. Virus Overview (13 min)

61. Virus Creation (8 min)

62. Detecting Malware (17 min)

Important:

63. Malware Analysis (10 min)

64. Hash File Verification (8 min)

65. Sniffing Overview (12 min)

66. CAM Table Attack and Port Security (10 min)

67. DHCP Snooping (14 min)

68. Dynamic ARP Inspection (DAI) (14 min)

69. Social Engineering (15 min)

70. Denial of Service (DoS) Attacks (19 min)

71. Session Hijacking (18 min)

72. Hacking Web Servers (10 min)

73. Buffer Overflow (13 min)

74. OWASP Broken Web Application Project (13 min)

75. Shellshock (6 min)

76. SQL Introduction (9 min)

77. SQL Injection (16 min)

78. Web App Vulnerabilities: WordPress (10 min)

79. Wireless Hacking (18 min)

80. Using an Android VM (4 min)

81. Malware for Mobile (11 min)

82. Mobile Device Risks and Best Practices (13 min)

83. Firewall Evasion (19 min)

84. Firewall ACL Example (15 min)

85. NAT and PAT fundamentals (11 min)

86. IDS/IPS Evasion (17 min)

87. Honeypots (12 min)

88. Cloud Computing (23 min)

89. CIA: Confidentiality, Integrity, and Availability (3 min)

90. Policies (9 min)

91. Quantifying Risk (6 min)

92. Separation of Duties (13 min)

93. Symmetrical Encryption Concepts (14 min)

94. Asymmetrical Encryption Concepts (16 min)

95. Control Types (11 min)

96. Multifactor Authentication (12 min)

97. Centralized Identity Management (13 min)

98. Kerberos and Single Sign On (SSO) (17 min)

99. Backups and Media Management (9 min)

100. Operations Security Controls (14 min)

101. Physical Security Controls (11 min)

102. Incident Response (12 min)

103. VPNs (21 min)

104. Disaster Recovery Planning (13 min)

105. Pen Testing Tips (10 min)

106. Useful Tools (11 min)

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers.

Burp Suite - PortSwigger.net

https://portswigger.net/burp Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing ..

TCPdump

NSlookup

Nmap

Zenmap

107. Case Study (21 min)

108. Additional Resources and Exam Prep (8 min)

SSL & SSH, both are public key cryptography tunneling protocols and aims to secure confidential data. SSL Secure Socket Layer is a certificate for protecting data on the net, SSH, Secure Shell, is a network application used to transfer or share data with a remote computer.

SSL and SSH both provide the cryptographic elements to build a tunnel for confidential data transport with checked integrity. For that part, they use similar techniques, and may suffer from the same kind of attacks, so they should provide similar security (i.e. good security) assuming they are both properly implemented. That both exist is a kind of NIH syndrome: the SSH developers should have reused SSL for the tunnel part (the SSL protocol is flexible enough to accommodate many variations, including not using certificates).

They differ on the things which are around the tunnel. SSL traditionally uses X.509 certificates for announcing server and client public keys; SSH has its own format. Also, SSH comes with a set of protocols for what goes inside the tunnel (multiplexing several transfers, performing password-based authentication within the tunnel, terminal management...) while there is no such thing in SSL, or, more accurately, when such things are used in SSL they are not considered to be part of SSL (for instance, when doing password-based HTTP authentication in a SSL tunnel, we say that it is part of "HTTPS", but it really works in a way similar to what happens with SSH).

Conceptually, you could take SSH and replace the tunnel part with the one from SSL. You could also take HTTPS and replace the SSL thing with SSH-with-data-transport and a hook to extract the server public key from its certificate. There is no scientific impossibility and, if done properly, security would remain the same. However, there is no widespread set of conventions or existing tools for that.

So we do not use SSL and SSH for the same things, but that's because of what tools historically came with the implementations of those protocols, not due to a security related difference. And whoever implements SSL or SSH would be well advised to look at what kind of attacks were tried on both protocols.

Here's a little guide that I hope can help. The advice here is not intended for 'activists' or 'hacktivists' or hackers who already know these things, and who have advanced needs and knowledge. It’s for every technical or non-technical ones.

Not many Internet users know this, but regular software updates can block as many as 85% of all targeted attacks on your software (according to the US Computer Readiness Emergency Team).

- Setting travel notices on your credit cards

- Do all your computer, app, and phone updates

- Back up your phone and laptop; use FileVault if you're on a Mac

- Empty all the trash

- Remove from your devices any files that are non-essential or sensitive

- Disconnect auto-posting on any apps you'll be using, and remove non-essential connected services (like if you have Disqus approved to use your Twitter account, etc.)

HIGH-RISK BEHAVIORS

There are things you may normally do in your everyday life with your Mobile, Computer or Laptops. Things you should assume are compromised include Wi-Fi and phone networks (spoofed cell towers), and things like charging stations. High risk behaviors include:

- Using Wi-Fi or wired (Ethernet) connections without a VPN

- Using Bluetooth

- Using phone/data (tethered) connections without a VPN

- Accessing websites that don't use https

- Leaving your device or computer "always on" Wi-Fi or Bluetooth

OTHER HIGH-RISK BEHAVIORS TO AVOID IN THE PERIMETER

- Logging in on services, i.e. where you might type your password

- Accessing banking or credit card services, billing services, or things where sensitive data is accessed

- Calling services where you need to provide identity codes, security question answers, or your social security number; like credit cards, your bank, etc.

MITIGATING RISK

What you're at risk for is being hacked, which means a lot of different things. This means being spied on in your communications or through your camera, having your logins and passwords fall into malicious hands, ending up with malware on your phone, having your address books copied and stolen, and more. If you get hacked, you'll need to change all your passwords, and you may need to get a new phone, tablet or laptop. The hassles and harm can be more and worse, of course, depending on your situation.

You can mitigate risk with a little conventional hacker wisdom:

- In general, your risk is higher with Android - but your risk is not zero with Apple/iOS.

- Unless you already use it, don't bother with Tor

- Always use a VPN (TunnelBear for iOS, Perfect Privacy; see Torrent for more recommendations)

- Consider using encrypted communication apps like WhatsApp and Signal

- Shut your phone off when you're not using it

- Keep Wi-Fi and Bluetooth turned off on your laptop when not needed

- Cover your cameras with stickers, post-its, or tape

- Always pretend someone is looking over your shoulder and ogling your screen; you'll behave in safer ways

- If you know how to, encrypt external hard drives / USB sticks so they require a password

- If you use an Apple computer, use FileVault to encrypt your Mac (Yosemite does this by default)

- Always require your phone, laptop, tablet (etc) to have a password

- Turn off your electronics when they're not in use

- Use a password manager app (1password), and use it to a) eliminate duplicate passwords, and b) create crazy complicated passwords. These are also good for foiling "shoulder surfing"

- Double check all links for accuracy before you click them; if they look weird or have a typo, don't click

IN ADDITION, DO NOT EVER:

- Click on strange links, or links from unexpected prompts (even if it's a log-in page that looks legit)

- Open or respond to fishy, unexpected or unusual emails

- Open or download attachments even from trusted sources unless you're expecting them

- Download anything from text messages or click links in texts (unless expected)

- Assume the "Google Free Wi-Fi" you see in a list of available networks is actually Google's Wi-Fi

- Use a cord, battery or charging station that isn't yours

- Log into anything on someone else's phone or computer

- Plug a USB stick into your computer that isn't yours

- Leave your phone, tablet or laptop out of your sight; it's a hassle, but I carry mine everywhere I go when I'm on site.

Src: violetblue

BE SMART & CREATIVE
IN CYBER WORLD

ShareShare SECURITY G U I D E

· LikedUnlikeSECURITY G U I D E

· Comment

· ShareShare SECURITY G U I D E

EC Council Certified Ethical Hacker v9.0

Burp Suite - PortSwigger.net

Admin

0 Response to "EC Council Certified Ethical Hacker v9.0"

Post a Comment