EC-Council | CNDA Course Outline

Course Description

This class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems. The lab intensive environment gives each student in-depth knowledge and practical experience with the current essential security systems. Students will begin by understanding how perimeter defenses work and then be lead into scanning and attacking their own networks, no real network is harmed. Students then learn how intruders escalate privileges and what steps can be taken to secure a system. Students will also learn about Intrusion Detection, Policy Creation, Social Engineering, DDoS Attacks, Buffer Overflows and Virus Creation. When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

This course prepares you for EC-Council CNDA exam 312-99

Who Should Attend

This course will significantly benefit security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure.

Duration:
5 days (9:00 – 5:00)

Certification
The CNDA exam 312-99 may be taken on the last day of the training (optional). Students need to pass the online Prometric exam to receive CNDA certification.

Legal Agreement
Ethical Hacking and Countermeasures course mission is to educate, introduce and demonstrate hacking tools for penetration testing purposes only. Prior to attending this course, you will be asked to sign an agreement stating that you will not use the newly acquired skills for illegal or malicious attacks and you will not use such tools in an attempt to compromise any computer system, and to indemnify EC-Council with respect to the use or misuse of these tools, regardless of intent.

Not anyone can be a student — the Accredited Training Centers (ATC) will make sure the applicants work for legitimate companies.

Course Outline Version 5

Module 1: Introduction to Ethical Hacking

Why Security?
Essential Terminologies
Elements of Security
The Security, Functionality, and Ease of Use Triangle
What Does a Malicious Hacker Do?

Reconnaissance
Scanning
Gaining access
Maintaining access
Covering Tracks

§ Types of Hacker Attacks

o Operating System attacks

o Application-level attacks

o Shrink Wrap code attacks

o Misconfiguration attacks

§ Hacktivism

§ Hacker Classes

§ Hacker Classes and Ethical Hacking

§ What Do Ethical Hackers Do?

§ Can Hacking be Ethical?

§ How to Become an Ethical Hacker?

§ Skill Profile of an Ethical Hacker

§ What is Vulnerability Research?

§ Why Hackers Need Vulnerability Research?

§ Vulnerability Research Tools

§ Vulnerability Research Websites

§ How to Conduct Ethical Hacking?

§ Approaches to Ethical Hacking

§ Ethical Hacking Testing

§ Ethical Hacking Deliverables

§ Computer Crimes and Implications

§ Legal Perspective

U.S. Federal Law
Japan’s Cyber Laws
United Kingdom’s Cyber Laws
Australia’s Cyber Laws
Germany’s Cyber Laws
Singapore’s Cyber Laws

Module 2: Footprinting

§ Revisiting Reconnaissance

§ Defining of Footprinting

§ Information Gathering Methodology

§ Unearthing Initial Information

§ Finding a Company’s URL

§ Internal URL

§ Extracting Archive 0f a Website

§ Google Search for Company’s Info.

§ People Search

§ Footprinting Through Job Sites

§ Passive Information Gathering

§ Competitive Intelligence Gathering

§ Why Do You Need Competitive Intelligence?

§ Companies Providing Competitive Intelligence Services

§ Competitive Intelligence

When Did This Company Begin?
How Did It Develop?
What Are This Company's Plans?
What Does Expert Opinion Say About The Company?
Who Are The Leading Competitors?

§ Public and Private Websites

§ Tools

DNS Enumerator
SpiderFoot
Sensepost Footprint Tools
- BiLE.pl
- BiLE-weigh.pl
- tld-expand.pl
- vet-IPrange.pl
- qtrace.pl
- vet-mx.pl
- jarf-rev
- jarf-dnsbrute

o Wikito Footprinting Tool

o Web Data Extractor Tool

o Whois

o Nslookup

o Necrosoft

o ARIN

o Traceroute

o Neo Trace

o GEOSpider

o Geowhere

o GoogleEarth

o VisualRoute Trace

o Kartoo Search Engine

o Touchgraph Visual Browser

o SmartWhois

o VisualRoute Mail Tracker

o eMailTrackerPro

o Read Notify

o HTTrack Web Site Copier

o Web Ripper

o robots.txt

o Website watcher

o E-mail Spider

o Power E-mail Collector Tool

§ Steps to Perform Footprinting

Module 3: Scanning

Definition of Scanning
Types of Scanning
- Port Scanning
- Network Scanning
- Vulnerability Scanning

Objectives of Scanning
CNDA Scanning Methodology
- Check for live systems

· ICMP Scanning

· Angry IP

· HPING2

· Ping Sweep

· Firewalk

o Check for open ports

· Nmap

· TCP Communication Flags

· Three Way Handshake

· SYN Stealth / Half Open Scan

· Stealth Scan

· Xmas Scan

· FIN Scan

· NULL Scan

· IDLE Scan

· ICMP Echo Scanning/List Scan

· TCP Connect / Full Open Scan

· FTP Bounce Scan

· FTP Bounce Attack

· SYN/FIN Scanning Using IP Fragments

· UDP Scanning

· Reverse Ident Scanning

· RPC Scan

· Window Scan

· Blaster Scan

· PortScan Plus, Strobe

· IPSecScan

· NetScan Tools Pro

· WUPS – UDP Scanner

· SuperScan

· IPScanner

· MegaPing

· Global Network Inventory Scanner

· Net Tools Suite Pack

· FloppyScan

· War Dialer Technique

· Why War Dialing?

· Wardialing

· PhoneSweep

· THC Scan

· SandTrap Tool

o Banner grabbing/OS Fingerprinting

· OS Fingerprinting

· Active Stack Fingerprinting

· Passive Fingerprinting

· Active Banner Grabbing Using Telnet

· GET REQUESTS

· p0f – Banner Grabbing Tool

· p0f for Windows

· Httprint Banner Grabbing Tool

· Active Stack Fingerprinting

¨ XPROBE2

¨ RING V2

· Netcraft

· Disabling or Changing Banner

¨ Apache Server

¨ IIS Server

· IIS Lockdown Tool

· ServerMask

· Hiding File Extensions

· PageXchanger 2.0

o Identify Service

o Scan for Vulnerability

· Bidiblah Automated Scanner

· Qualys Web-based Scanner

· SAINT

· ISS Security Scanner

· Nessus

· GFI LANGuard

· SATAN (Security Administrator’s Tool for Analyzing Networks)

· Retina

· NIKTO

· SAFEsuite Internet Scanner

· IdentTCPScan

o Draw network diagrams of Vulnerable hosts

· Cheops

· FriendlyPinger

o Prepare proxies

· Proxy Servers

· Use of Proxies for Attack

· SocksChain

· Proxy Workbench

· ProxyManager Tool

· Super Proxy Helper Tool

· Happy Browser Tool (Proxy-based)

· MultiProxy

· TOR Proxy Chaining Software

o Anonymizers

· Primedius Anonymizer

· Browzar

· Torpark Browser

· G-Zapper - Google Cookies

o SSL Proxy Tool

o HTTP Tunneling Techniques

o HTTPort

o Spoofing IP Address - Source Routing

o Detecting IP Spoofing

o Despoof Tool

o Scanning Countermeasures

o Tool: SentryPC

Module 4: Enumeration

§ Overview of System Hacking Cycle

§ What is Enumeration?

§ Techniques for Enumeration

§ Netbios Null Sessions

§ Tool

o DumpSec

o NetBIOS Enumeration Using Netview

o Nbtstat

o SuperScan4

o Enum

o sid2user

o user2sid

o GetAcct

Null Session Countermeasures
PSTools
- PsExec
- PsFile
- PsGetSid
- PsKill
- PsInfo
- PsList
- PsLoggedOn
- PsLogList
- PsPasswd
- PsService
- PsShutdown
- PsSuspend
- PsUptime

SNMP Enumeration
Management Information Base
Tools
- SNMPutil
- Solarwinds
- SNScan V1.05
- Getif SNMP MIB Browser

UNIX Enumeration
SNMP UNIX Enumeration
SNMP Enumeration Countermeasures
Tools
- Winfingerprint
- Windows Active Directory Attack Tool
- IP Tools Scanner
- Enumerate Systems Using Default Passwords

Steps to Perform Enumeration

Module 5: System Hacking

Cracking Passwords
- Password Types
- Types of Password Attacks
- Passive Online – Wire Sniffing
- Passive Online Attacks
- Active Online – Password Guessing
- Offline Attacks
  - Dictionary Attack
  - Hybrid Attack
  - Brute-force Attack
  - Pre-computed Hashes

o Non-Technical Attacks

o Password Mitigation

o Permanent Account Lockout – Employee Privilege Abuse

o Administrator Password Guessing

o Manual Password Cracking Algorithm

o Automatic Password Cracking Algorithm

o Performing Automated Password Guessing

o Tools

· NAT

· Smbbf (SMB Passive Brute Force Tool)

· SmbCrack Tool

· Legion

· LOphtcrack

o Microsoft Authentication - LM, NTLMv1, and NTLMv2

o Kerberos Authentication

o What is LAN Manager Hash?

o Salting

o Tools

· PWdump2 and Pwdump3

· Rainbowcrack

· KerbCrack

· NBTDeputy

· NetBIOS DoS Attack

· John the Ripper

o Password Sniffing

o How to Sniff SMB Credentials?

o Sniffing Hashes Using LophtCrack

o Tools

· ScoopLM

· SMB Replay Attacks

· Replay Attack Tool: SMBProxy

· Hacking Tool: SMB Grind

· Hacking Tool: SMBDie

o SMBRelay Weaknesses & Countermeasures

o Password Cracking Countermeasures

o LM Hash Backward Compatibility

o How to Disable LM HASH?

o Tools

· Password Brute-Force Estimate Tool

· Syskey Utility

Escalating Privileges

o Privilege Escalation

o Cracking NT/2000 Passwords

o Active@ Password Changer

o Change Recovery Console Password

o Privilege Escalation Tool: x.exe

Executing applications

o Tool:

· Psexec

· Remoexec

· Alchemy Remote Executor

· Keystroke Loggers

· E-mail Keylogger

· Spytector FTP Keylogger

· IKS Software Keylogger

· Ghost Keylogger

· Hardware Keylogger

· Keyboard Keylogger: KeyGhost Security Keyboard

· USB Keylogger:KeyGhost USB Keylogger

o What is Spyware?

o Tools

· Spyware: Spector

· Remote Spy

· eBlaster

· Stealth Voice