Ethical Hackers are Here!!!

Vishal Academy Certified Security Analyst (VCSA)

Prerequisites : Brief knowledge of computer Network and Server management and Security,VCEH

Module 1: The Need for Security Analysis
What Are We Concerned About?
So What Are You Trying To Protect?
Why Are Intrusions So Often Successful?
What Are The Greatest Challenges?
Environmental Complexity
New Technologies
New Threats, New Exploits
Limited Focus
Limited Expertise
Confi dentiality
We Must Be Diligento:p>
Threat Agents
Assessment Questions
How Much Security is Enough?
Simplifying Risk
Risk Analysis
Risk Assessment Answers Seven Questions
Steps of Risk Assessment
Risk Assessment Values
Information Security Awareness
Security policies
Types of Policies
Promiscuous Policy
Permissive Policy

Prudent Policy
Paranoid Policy
Acceptable-Use Policy
User-Account Policy
Remote-Access Policy
Information-Protection Policy
Firewall-Management Policy
Special-Access Policy
Network-Connection Policy
Business-Partner Policy
Other Important Policies
Policy Statements
Basic Document Set of Information Security Policies
ISO 17799
Domains of ISO 17799
No Simple Solutions
U.S. Legislation
California SB 1386
Sarbanes-Oxley 2002
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
USA Patriot Act 2001
U.K. Legislation
How Does This Law Affect a Security Offi cer?
The Data Protection Act 1998
The Human Rights Act 1998
Interception of Communications
The Freedom of Information Act 2000
The Audit Investigation and Community Enterprise Act 2005
Module 2: Advanced Googling
Site Operator
error | warning
login | logon
username | userid | employee.ID | “your username is”
password | passcode | “your password is”

admin | administrator
admin login
–ext:html –ext:htm –ext:shtml –ext:asp –ext:php
inurl:temp | inurl:tmp | inurl:backup | inurl:bak
intranet | help.desk
Locating Public Exploit Sites
Locating Exploits Via Common Code Strings
Searching for Exploit Code with Nonstandard Extensions
Locating Source Code with Common Strings
Locating Vulnerable Targets
Locating Targets Via Demonstration Pages
“Powered by” Tags Are Common Query Fodder for Finding Web Applications
Locating Targets Via Source Code
Vulnerable Web Application Examples
Locating Targets Via CGI Scanning
A Single CGI Scan-Style Query
Directory Listings
Finding IIS 5.0 Servers
Web Server Software Error Messages
IIS HTTP/1.1 Error Page Titles
“Object Not Found” Error Message Used to Find IIS 5.0
Apache Web Server
Apache 2.0 Error Pages
Application Software Error Messages
ASP Dumps Provide Dangerous Details
Many Errors Reveal Pathnames and Filenames
CGI Environment Listings Reveal Lots of Information
Default Pages
A Typical Apache Default Web Page
Locating Default Installations of IIS 4.0 on Windows NT 4.0/OP
Default Pages Query for Web Server
Outlook Web Access Default Portal
Searching for Passwords
Windows Registry Entries Can Reveal Passwords
Usernames, Cleartext Passwords, and Hostnames!

Module III: TCP/IP Packet Analysis
TCP/IP Model
Application Layer
Transport Layer
Internet Layer
Network Access Layer
Comparing OSI and TCP/IP
IPv4 Addresses
IP Classes of Addresses
Reserved IP Addresses
Private Addresses
IPv4 and IPv6
Transport Layer
Flow Control
Three-Way Handshake
TCP/IP Protocols
TCP Header
IP Header
IP Header: Protocol Field
TCP and UDP Port Numbers
Port Numbers
TCP Operation
Synchronization or 3-way Handshake
Denial of Service (DoS) Attacks
DoS Syn Flooding Attack
Windowing and Window Sizes
Simple Windowing
Sliding Windows
Sequencing Numbers
Positive Acknowledgment and Retransmission (PAR)
UDP Operation
Port Numbers Positioning between Transport and Application Layer (TCP and UDP

Port Numbers
What Makes Each Connection Unique?
Internet Control Message Protocol (ICMP)
Error Reporting and Error Correction
ICMP Message Delivery
Format of an ICMP Message
Unreachable Networks
Destination Unreachable Message
ICMP Echo (Request) and Echo Reply
Detecting Excessively Long Routes
IP Parameter Problem
ICMP Control Messages
ICMP Redirects
Clock Synchronization and Transit Time Estimation
Information Requests and Reply Message Formats
Address Masks
Router Solicitation and Advertisement
Module 4: Advanced Sniffi ng Techniques
What is Wireshark?
Wireshark: Filters
IP Display Filters
Wireshark: Tshark
Wireshark: Editcap
Wireshark: Mergecap
Wireshark: Text2pcap
Using Wireshark for Network Troubleshooting
Network Troubleshooting Methodology
Using Wireshark for System Administration
ARP Problems
ICMP Echo Request/Reply Header Layout
TCP Flags
TCP SYN Packet Flags Bit Field
Capture Filter Examples
Scenario 1: SYN no SYN+ACK

Scenario 2: SYN Immediate Response RST
Scenario 3: SYN SYN+ACK ACK
§ Using Wireshark for Security Administration
Detecting Internet Relay Chat Activity
Wireshark as a Detector for Proprietary Information Transmission
Sniffer Detection
Wireless Sniffi ng with Wireshark
Using Channel Hopping
Interference and Collisions
Recommendations for Sniffi ng Wireless
Analyzing Wireless Traffi c
IEEE 802.11 Header
IEEE 802.11 Header Fields
Filtering on Source MAC Address and BSSID
Filtering on BSSID
Filter on SSID
Wireless Frame Types Filters
Unencrypted Data Traffi c
Identifying Hidden SSIDs
Revealed SSID
Identifying EAP Authentication Failures
Identifying the EAP Type
Identifying Key Negotiation Properties
EAP Identity Disclosure
Identifying WEP
Identifying TKIP and CCMP
Identifying IPSec/VPN
Decrypting Traffi c
TCP Connect Scan
SYN Scan
Null Scan
Remote Access Trojans
NetBus Analysis

Trojan Analysis Example NetBus Analysis
Module 5: Vulnerability Analysis with Nessus
Features of Nessus
Nessus Assessment Process
Nessus: Scanning
Nessus: Enumeration
Nessus: Vulnerability Detection
Confi guring Nessus
Updating Nessus Plug-Ins
Using the Nessus Client
Starting a Nessus Scan
Generating Reports
Data Gathering
Host Identifi cation
Port Scan
SYN scan
Port Scanning Rules of Thumb
Plug-in Selection
Dangerous plugins
Scanning Rules of Thumb
Report Generation
Reports: Result
Identifying False Positives
Suspicious Signs
False Positives
Examples of False Positives
Writing Nessus Plugins
Writing a Plugin
Installing and Running the Plugin
Nessus Report with output from our plugin
Security Center

Module 6: Advanced Wireless Testing
Wireless Concepts
Wireless Concepts
802.11 Types
Core Issues with 802.11
What’s the Difference?
Other Types of Wireless
Spread Spectrum Background
Access Point
Service Set ID
Default SSIDs
Wi-Fi Equipment
Expedient Antennas
Vulnerabilities to 802.1x and RADIUS
Wired Equivalent Privacy
Security - WEP
Wired Equivalent Privacy
Exclusive OR
Encryption Process
Chipping Sequence
WEP Issues
WEP - Authentication Phase
WEP - Shared Key Authentication
WEP - Association Phase
WEP Flaws
WEP Attack
WEP: Solutions
WEP Solution – 802.11i
Wireless Security Technologies
WPA Interim 802.11 Security
802.1X Authentication and EAP
EAP Types
Cisco LEAP
TKIP (Temporal Key Integrity Protocol)

Wireless Networks Testing
Wireless Communications Testing
Report Recommendations
Wireless Attack Countermeasures
Wireless Penetration Testing with Windows
Attacks And Tools
War Driving
The Jargon – WarChalking
Wireless: Tools of the Trade
Mapping with Kismet
WarDriving with NetStumbler
How NetStumbler Works?
“Active” versus “Passive” WLAN Detection
Disabling the Beacon
Running NetStumbler
Captured Data Using NetStumbler
Filtering by Channels
How Monkey-Jack Works
Before Monkey-Jack
After Monkey-Jack
How Does It Work?
FMS and Korek Attacks
Crack WEP
Available Options
Usage Examples
Cracking WPA/WPA2 Passphrases
Determining Network Topology: Network View
WarDriving and Wireless Penetration Testing with OS X
What is the Difference between “Active” and “Passive” Sniffi ng?
Using a GPS
Attacking WEP Encryption with KisMAC

Deauthenticating Clients
Attacking WPA with KisMAC
Brute-force Attacks Against 40-bit WEP
Wordlist Attacks
Mapping WarDrives with StumbVerter
MITM Attack basics
MITM Attack Design
MITM Attack Variables
Hardware for the Attack Antennas, Amps, WiFi Cards
Wireless Network Cards
Choosing the Right Antenna
Amplifying the Wireless Signal
Identify and Compromise the Target Access Point
Compromising the Target
Crack the WEP key
Aircrack-ng Cracked the WEP Key
The MITM Attack Laptop Confi guration
IP Forwarding and NAT Using Iptables
Installing Iptables and IP Forwarding
Establishing the NAT Rules
Confi guring Dnsmasq
Apache Web Servers
Virtual Directories
Clone the Target Access Point and Begin the Attack
Start the Wireless Interface
Deauthenticate Clients Connected to the Target Access Point
Wait for the Client to Associate to Your Access Point
Spoof the Application
Modify the Page
Example Page
Login/php page
Redirect Web Traffi c Using Dnsmasq
Module 7: Designing a DMZ
DMZ Concepts

Multitiered Firewall With a DMZ Flow
DMZ Design Fundamentals
Advanced Design Strategies
Designing Windows DMZ
Designing Windows DMZ
Precautions for DMZ Setup
Security Analysis for the DMZ
Designing Sun Solaris DMZ
Placement of Servers
Advanced Implementation of a Solaris DMZ Server
Solaris DMZ Servers in a Conceptual Highly Available Confi guration
Private and Public Network Firewall Ruleset
DMA Server Firewall Ruleset
Solaris DMZ System Design
Disk Layout and Considerations
Designing Wireless DMZ
Placement of Wireless Equipment
Access to DMZ and Authentication Considerations
Wireless DMZ Components
Wireless DMZ Using RADIUS to Authenticate Users
WLAN DMZ Security Best-Practices
DMZ Router Security Best-Practice
DMZ Switch Security Best-Practice
Six Ways to Stop Data Leaks
Module 8: Snort Analysis
Snort Overview
Modes of Operation
Features of Snort
Confi guring Snort
Output Plugins
Working of Snort
Initializing Snort

Parsing the Confi guration File
Possible Decoders
Content Matching
Content-Matching Functions
The Stream4 Preprocessor
Inline Functionality
Writing Snort Rules
Snort Rule Header
Snort Rule Header: Actions
Snort Rule Header: Other Fields
IP Address Negation Rule
IP Address Filters
Port Numbers
Direction Operator
Rule Options
Activate/Dynamic Rules
Meta-Data Rule Options: msg
Reference Keyword
sid/rev Keyword
Classtype Keyword
Payload Detection Rule Options: content
Modifi er Keywords
Offset/depth Keyword
Uricontent keyword
fragoffset keyword
ttl keyword
id keyword
fl ags keyword
itype keyword : icmp id
Writing Good Snort Rules
Sample Rule to Catch Metasploit Buffer Overfl ow Exploit
Tool for writing Snort rules: IDS Policy Manager
Subscribe to Snort Rules

Honeynet Security Console Tool
Key Features
Module 9: Log Analysis
Introduction to Logs
Types of Logs
Events that Need to be Logged
What to Look Out For in Logs
W3C Extended Log File Format
Automated Log Analysis Approaches
Log Shipping
Analyzing Syslog
Setting up a Syslog
Syslog: Enabling Message Logging
Main Display Window
Confi guring Kiwi Syslog to Log to a MS SQL Database
Confi guring Ethereal to Capture Syslog Messages
Sending Log Files via email
Confi guring Cisco Router for Syslog
Confi guring DLink Router for Syslog
Confi guring Cisco PIX for Syslog
Confi guring an Intertex / Ingate/ PowerBit/ Surfi nBird ADSL router
Confi guring a LinkSys wireless VPN Router
Confi guring a Netgear ADSL Firewall Router
Analyzing Web Server Logs
Apache Web Server Log
Confi guring AWStats for IIS
Log Processing in AWStats
Analyzing Router Logs
Router Logs
Analyzing Wireless Network Devices Logs
Wireless Traffi c Log
Analyzing Windows Logs
Confi guring Firewall Logs in Local Windows System
Viewing Local Windows Firewall Log

Viewing Windows Event Log
AAnalyzing Linux Logs
Log Prefi xing with iptables
Firewall Log Analysis with grep
Analyzing SQL Server Logs
SQL Database Log
ApexSQL Log
Confi guring ApexSQL Log
Analyzing VPN Server Logs
VPN Client Log
Analyzing Firewall Logs
Why Firewall Logs are Important
Firewall Log Sample
ManageEngine Firewall Analyzer
Installing Firewall Analyzer
Viewing Firewall Analyzer Reports
Firewall Analyzer Log Reports
Analyzing IDS Logs
IDS Log Sample
Analyzing DHCP Logs
NTP Confi guration
Time Synchronization and Logging
NTP Overview
NTP Client Confi guration
Confi guring an NTP client using the Client Manager
Confi guring an NTP Server
NTP: Setting Local Date and Time
Log Analysis Tools
All-Seeing Eye Tool: Event Log Tracker
Network Sniffer Interface Test Tool
Syslog Manager 2.0.1
Log Alert Tools

Network Eagle Monitor
Network Eagle Monitor: Features
SQL Server Database Log Navigator
What Log Navigator does?
How Does Log Navigator Work?
Types of Snort Alarms
ACID (Analysis Console for Intrusion Databases)
Module 10: Advanced Exploits and Tools
Common Vulnerabilities
Buffer Overfl ows Revisited
Smashing the Stack for Fun and Profi t
Smashing the Heap for Fun and Profi t
Format Strings for Chaos and Mayhem
The Anatomy of an Exploit
Vulnerable code
Shellcode Examples
Delivery Code
Delivery Code: Example
Linux Exploits Versus Windows
Windows Versus Linux
Tools of the Trade: Debuggers
Tools of the Trade: GDB
Tools of the Trade: Metasploit
Metasploit Frame work
User-Interface Modes
Metasploit: Environment
Environment: Global Environment
Environment: Temporary Environment
Metasploit: Options
Metasploit: Commands
Metasploit: Launching the Exploit
MetaSploit: Advanced Features
Tools of the Trade: Canvas
Tools of the Trade: CORE Impact

IMPACT Industrializes Penetration Testing
Other IMPACT Benefi ts
Impact Demo Lab
Module 11: Penetration Testing Methodologies
Module 12: Customers and Legal Agreements
Module 13: Rules of Engagement
Module 14: Penetration Testing Planning and Scheduling
Module 15: Pre Penetration Testing Checklist
Module 16: Information Gathering
Module 17: Vulnerability Analysis
Module 18: External Penetration Testing
Module 19: Internal Network Penetration Testing
Module 20: Routers and Switches Penetration Testing
Module 21: Firewall Penetration Testing
Module 22: IDS Penetration Testing
Module 23: Wireless Network Penetration Testing
Module 24: Denial of Service Penetration Testing
Module 25: Password Cracking Penetration Testing

Module 26: Social Engineering Penetration Testing
Module 27: Stolen Laptop, PDAs and Cell phones Penetration Testing
Module 28: Application Penetration Testing
Module 29: Physical Security Penetration Testing
Module 30: Database Penetration testing
Module 31: VoIP Penetration Testing
Module 32: VPN Penetration Testing
Module 33: War Dialing
Module 34: Virus and Trojan Detection
Module 35: Log Management Penetration Testing
Module 36: File Integrity Checking
Module 37: Blue Tooth and Hand held Device Penetration Testing
Module 38: Telecommunication and Broadband Communication Penetration Testing
Module 39: Email Security Penetration Testing
Module 40: Security Patches Penetration Testing
Module 41: Data Leakage Penetration Testing
Module 42: Penetration Testing Deliverables and Conclusion
Module 43: Penetration Testing Report and Documentation Writing
Module 44: Penetration Testing Report Analysis

Module 45: Post Testing Actions
Module 46: Ethics of a Licensed Penetration Tester
Module 47: Standards and Compliance