Certified Penetration Testing Training CPTS Instructor-Led Course 5 Days Outline Updated October 19 2004

THIS COURSE HAS BEEN UPDATED

FREE CPTS Exams for DoD personnel (Globally)

Click Here for new course outline

Course Description:

Our CPTS Penetration Testing Training has been built upon proven, hands-on Penetration Testing methodologies as utilized by our international group of specialized consultants. Mile2 trainers must keep their hands dirty in the field by consulting as we believe that an equal emphasis on theoretical and real world experience is essential for effective knowledge transfer to you as a student. The CPTS presents information on the latest vulnerabilities and defenses. This class also enhances the business skills needed to identify protection opportunities, justify testing activities and optimize security controls appropriate to the business needs in order to reduce business risk. We go far beyond simply teaching you to “Hack” which has been the norm with the classes that have been available until now. Our course is developed on the same principals and uses the same methods as those of a hacker but its focus is professional penetration testing and securing information assets.

Definition: Vulnerability Assessment and Penetration Test

Certified Professional Exams:

CPTS - Certified Penetration Testing Specialist (Thomson Prometric - Globally) CEH – Certified Ethical Hacker 312-50 (Prometric Prime – Limited Availability)

Prerequisites:

• A minimum of 12 months experience in networking technologies
• Solid knowledge of TCP/IP
• Computer hardware Knowledge
• Knowledge of Microsoft packages
• Network+, Security+
• Knowledge of Linux would be beneficial but not a necessity Do I really need Linux?
  • We also deliver Linux+ Training Outline

Follow-on Classes:

• CPTE (Certified Pen Testing Expert) - 5 Days
• DFED - Computer Forensics & Electronic Discovery - 3 Days
• ADFT - Advanced Computer Forensics Techniques - 3 Days
• DFED/ADFT Bootcamp - 5 Days
• CPPT - Certified Perimeter Protection Tactician - 5 Days
• WNA - Wireless Network Administration - 3 Days
• WNS - Wireless Network Security – 3 Days
• WLA - Wireless Leakage Analysis (Includes PDA Tool) - 2 Days
• Disaster Recovery and Business Continuity - 3 Days

MODULE 1 - An Introduction to Penetration Testing Training

• What is Penetration Testing? (Blackbox vs Whitebox testing)
• What are the responsibilities for a Penetration Tester?
• An Overview of the Open-Source Security Testing Methodology Manual
• Methodology for Penetration Testing
• Penetration Testing Options
• Vulnerability Result Report Writing
• Understanding Hackers
• What Hackers Do – Hacker’s / Administrators View
• Who Are Hackers
• Categorizing Hackers
• Attack Categories
• Intrusion Methods
• The Security Process and The CIA Model
• Threat Analysis

MODULE 2 - Active-Passive Reconnaissance Techniques

• Planning and starting the test
• Information Gathering & Footprinting
• Passive information Gathering
  • Basic Search Techniques
  • Using Search Engines
• Advanced Search Techniques (Spam DBs, P2P networks)
  • Google Hacking Techniques (Google cache)
  • Finding Interesting Files and Directories (robots.txt)
  • Searching Newsgroups
• Whois Search
• Active information Gathering
• Site Mapping/Mirroring (wget) and why it’s useful
• Using Information Gathering Tools (tracert, nslookup, zone transfer)
• Lab Session

  Scanning & Fingerprinting

• Port Scanning Techniques
  • Using port Scanning Tools
  • Types of port scan
  • TCP connect () scan
  • TCP SYN scan
  • IP protocol scan
  • TCP FIN scan
  • NULL scan
  • Xmas scan
  • ACK scan
  • Idle scan
• An introduction to netcat
• What is netcat
• How do you use netcat
  • Advanced netcat usage
• An introduction to hping
• What is hping
• How do you use hping
• Advanced hping usage
• OS Fingerprinting – how does it work?
• OS Fingerprinting Tools (xprobe, nmap, cheops & p0f)
• Service probing
  • Using Telnet
  • Using netcat
  • Using nmap
  • How service probing also helps with OS fingerprints
  • OS Fingerprint Countermeasures
• Lab Session

  Enumeration

• Understanding Enumeration
• Types of Enumeration
• NetBIOS Enumeration
  • Users and Groups
  • Using net Command
  • Using NBSTAT
• SNMP Enumeration
  • Public Strings (bruteforcing them)
  • SNMPwalk
  • Advanced SNMP enumeration
• AD Enumeration
  • An introduction to LDAP
  • Using LDAP techniques with AD
• Using Enumeration Tools:
• Linux & Windows Tools will be covered
• Lab Session

MODULE 3 - Cryptography Decrypted

• What is Cryptography?
• PKI and Public Key cryptography
• Hashing/Message digests
• Distribution of keys (X.509, PGP)
• Common Standards (SSL, IPSec, DES, AES, Blowfish, MD5, SHA-1)
• Lab Session

MODULE 4 - Vulnerability Assessment

• Understanding Vulnerabilities
• Types of vulnerability
• Techniques for Finding Vulnerability
• Automated vulnerability Scanning tools
• Open Source vulnerability scanners
• Commercial vulnerability Scanners
• Microsoft MBSA
• X-Scan Scanner
• Retina Scanner
• GFI LANguard Network Security Scanner
• Lab Session

MODULE 5 - Hacking Windows

• Windows Architecture Overview
• Rights Management Services / Identity Integration Server
• Vulnerabilities & attacks
• Remote password guessing
• Tapping The Wire
• Privilege escalation
• Password cracking
• keystroke loggers
• Password sniffers
• Covering tracks
• Hiding files
• Buffer overflows
• Lab Session

MODULE 6 - Advanced Vulnerability & Exploitation Techniques

• How Does an Exploit Works?
• Exploit Example
• Defense against buffer overflows
• Privilege Escalation
• The Metasploit Project
• CORE Impact In-depth
• Lab Session

MODULE 7 - Malware

• Defining Malware: Trojans and backdoors
  • How Trojans and Backdoors Operate
• Comprehending backdoor variants
• Netcat Indepth
  • Switches
• Overview of various Trojan tools
• Learning effective prevention methods and countermeasures
  • Monitoring Port Usage
  • File Protection
• Overview of Anti-Trojan Software/Hardware
• Generating a Trojan program
• Lab Session

MODULE 8 – Packet Sniffing – Session Hijacking

• What is packet sniffing?
  • Passive and Active Sniffing
  • Sniffing Tools
• What is promiscuous mode?
• The basics of packet sniffing
• Sniffing Hub - switch based networks
• ARP Spoofing - Poisoning
• DNS and IP Sniffing and Spoofing
• HTTPS and SSH Sniffing
• Changing MAC address
  • Tools of the trade
• TCP/IP Stream re-assembly
• Detecting packet sniffers?
• ARP Spoofing countermeasures
• TCP/IP Session Hijacking
• TCP in-depth
• Active/Passive Hijacking
• Spoofing versus hijacking
• Defending against Hijacking
• How do you hijack a session?
• Man in the Middle concepts
• ISN’s (Initial Sequence Numbers)
• Lab Session

MODULE 9 – Attacking Networks – Routers, Firewalls and IDS

• Overview of Firewall’s and IDS
  • IDS Architecture
  • CIDF model of a network IDS Design
• How to bypass Firewall and IDS using Tools
• How to perform attacks on Firewall and IDS.
• Hacking Tools – Fragrouter, Anzen NIDSbench
• Paketto Keiretsu Toolset
• Traceroute in-depth
• Packet Integrity
• Minewt 1.0

MODULE 10 – Attacking Linux

• You will be introduced to core concepts of Linux operating system
  • Linux Concepts
  • Linux File System
  • Linux – The Kernel
  • Linux Shell
  • Linux Configuration Files
  • Linux File Permission and Access
• Examine intricacies of Linux vulnerabilities
  • Physical Access
  • Root kits
• Understand how an attacker can enter into the system
• Linux Tools
• How to control the attacker and minimize loss by hardening system.
  • Root Kit Countermeasure’s

MODULE 11 – Attacking Database’s

• Core concepts of databases
• Types of Databases
• The basic concepts of database and DBMS
• The different functions of DBMS
• Intricacies of different database vulnerabilities and exploits
  • SQL Injection in-depth
  • Credit Card Threats
  • Extended Stored Procedures
  • Login Threats
• Methods to secure the database
  • Oracle
  • MySQL
  • MS-SQL Server
• Detection and patching
• Various tools and techniques
• Lab Session

MODULE 12 – Attacking Web Technologies

• Web Server Assessment Overview
• Introduction to Web Servers
• Web Server Market
• Popular Web Servers and common Vulnerabilities
  • Web Server Exploits
• Apache Web Server Security
• IIS Server Security
  • Attacking IIS Server
  • IIS Architecture
• Attacks against Web Servers
  • Buffer Overflows
  • Printer Overflows
• Tools used in Attacking Web Servers
• Web Server Countermeasures
• Web Application Vulnerabilities
• Web Application Penetration Methodologies
• Understanding Web Application Security
• Common Web Application Security Vulnerabilities
• Input Manipulation
• Authentication And Session Management
• Tools: Lynx, Teleport Pro, Black Widow, Web Sleuth
• Web Application Countermeasures
• Password Cracking Techniques
  • Certificate Based Authentication
  • Forms Based Authentication
  • Password Guessing
  • WebCracker
  • Brutus
  • ObiWan Password Cracker
  • Lab Session

MODULE 13 – Attacking Wireless Networks

• Introduction to Wireless Networks
• Wireless LAN network types
• Deployed Standards
• A vs B vs G
• SSID
• WEP
• WPA vs WEP
• MAC Spoofing
• EAP Types
• Message Integrity Check
• Security Mechanisms in Wireless LAN
• Vulnerabilities
• Attacks
• Attack Tools
• Defense strategies
• Lab Session

MODULE 14 – Managing Operational Security

• Establishing Security Policies and Procedures
  • What are security policies and procedures
  • What are the legal reason for security policies and procedures
• Educating Users About Security Policies
  • Common vulnerabilities introduced by users
  • Training and awareness
• Applying Security Policies to Operational Management
  • Methods of enforcing policies
• Resolving Ethical Dilemmas When Securing Assets

MODULE 15 - Preserving Business Continuity

• Preparing to Recover from Disasters
  • Most Common Causes of Business Disruption
  • Defining Business Continuity Planning
  • Disaster Recovery Planning and Implementation
• Communicating the Impact of Risks
  • Risk Terminology
  • Relationship to Threats and Vulnerabilities
  • Risk Mitigation
• Performing a Secure Backup and Recovery
  • Elements of a Secure Backup Strategy
  • Guidelines for Securing Backup Media
  • Guidelines for Securely Testing the Restoration Process

MODULE 16 – Responding to Security Incidents

• Identifying Security Incidents
  • Common Indicators of Security Incidents
  • Symptoms of Well-Known Attacks
  • Account Activity That May Signal an Attack
  • System Activity That May Signal an Attack
  • Guidelines for Reviewing Log Files
• Responding to Security Incidents
  • What Is an Incident Response Team?
  • Guidelines for Responding to a Security Incident
  • Guidelines for Determining the Severity of an Incident
  • Guidelines for Limiting Damage from an Incident
  • Guidelines for Communicating About an Incident
• Investigating Security Incidents
  • What Are the Sources of Evidence?
  • Electronic Evidence to Examine
  • Guidelines for Preserving Electronic Evidence
  • Guidelines for Analyzing Electronic Evidence

Additional Modules:

Some or all of the following topics are covered in the regular outline above. However, if the class is running ahead of schedule they will be covered in more detail as follows.

TCP/IP Refresher (Student Handout)

• TCP/IP Basics
• The OSI model vs Internet OSI
• TCP Vs UDP
• Others (BGP, ICMP, IGMP)
• TCP Internals – An introduction to TCP headers
• MTU & TTL
• ARP & MAC Addresses
• Error Control
• Fragmentation
• NAT
• Routing
• Recommendations for further reading (TCP/IP Illustrated Vol.1 etc.)
• References

Social Engineering

• What is social engineering?
• The art of deception
• Human Weakness
  • Common types of social engineering (scenarios, security guard, CEO, tech support etc.)
• Dumpster Diving
• Shoulder Surfing
• Mail attachments (refer to malware chapter)
• Phising websites
• Countermeasures
  
  Reading & References www.antionline.com/showthread.php?s=&threadid=231674
  Common Terminology
  Define common acronyms/terms used in the course
  http://sun.soci.niu.edu/~rslade/secgloss.htm

Denial of Service

• What is denial of service?
• What is the point of DoS?
• What is DDoS?
• What is DRDoS
• The story of mafiaboy
• How DDoS can effect a company financially
• Zombies & Zombie networks

Important Intellectual Property Acknowledgments:
Certified Pen Tester, Certified Penetration Tester, Certified Pen Testing Specialist, Certified Pen Testing Expert, Mile2, CPT and CPTS are trademarks of Mile2 mki, Inc. © 2004 All rights reserved