Test taking tips & tricks


Download 159.53 Kb.
NameTest taking tips & tricks
A typeTest
manual-guide.com > manual > Test

CEH Clinic

150 test taking tips & tricks

Overview

  • CEH Domains (Questions)

  • Module 01: Introduction to Ethical Hacking (22)

  • Module 02: Hacking Laws (6)

  • Module 03: Foot printing (24)

  • Module 04: Google Hacking (2)

  • Module 05: Scanning (106)

  • Module 06: Enumeration (22)

  • Module 07: System Hacking (17)

  • Module 08: Trojans and Backdoors (18)

  • Module 09 Social Engineering (1)

  • Module 09: Viruses and Worms (11)

  • Module 10: Sniffers (24)

  • Module 11: Social Engineering (9)

  • Module 12: Phishing (1)

  • Module 13: Hacking Email Accounts (10)

  • Module 14: Denial-of-Service (22)

  • Module 15: Session Hijacking (14)

  • Module 16: Hacking Web Servers (24)

  • Module 17: Web Application Vulnerabilities (22)

  • Module 18: Web-Based Password Cracking Techniques (20)

  • Module 19: SQL Injection (11)

  • Module 20: Hacking Wireless Networks (24)

  • Module 21: Physical Security (9)

  • Module 22: Linux Hacking (23)

  • Module 23: Evading IDS, Firewalls and Detecting Honey Pots (48)

  • Module 24: Buffer Overflows (20)

  • Module 25: Cryptography (39)

  • Module 26: Penetration Testing (23)

In Class Stuff

  • Typically a 5 day schedule

  • The information can take 6 months to years to understand and master!

  • DoS News

  • Objectives

  • Flow

  • DoS/DDoS Concepts

  • DoS/DDOS Attack Techniques

  • Botnets

  • DDoS Case Study

  • DoS / DDoS Attack Tools

  • Countermeasures

  • DoS / DDoS Protection Tools

  • Overwhelm Traffic

  • Prevents Legitimate Use

  • DDoS is Different

  • Causes

  • Loss of Goodwill

  • Disabled Network

  • Financial Loss

  • Disabled Organization

  • Keywords

  • Agent / Handler

  • Compromised PC’s aka the Zombie

  • Command and Control

  • Easily installed with Trojans

  • Symptoms

  • Unavailability

  • Cannot access web services

  • Large Helpdesk Queue

  • Protocols

  • ICQ – Universal Identifier Number (UIN)

  • IRC – computer-to-computer connections (TCP 6667)

  • DoS/DDoS Attack Techniques

  • Bandwidth

  • TCP SYN (Fake TCP SYN)

  • SYN Flooding Attack

  • ICMP Flood

  • Peer-to-Peer Attacks Vulnerabilities (file transfer)

  • Permanent DoS

  • Phlashing

  • Sabotage

  • Bricking a system hardware updates

  • Application Level Flood Attacks

  • Flood

  • Disrupt

  • Jam

  • Botnet

  • Shark C&C

  • Botnet Command Control Center

  • PlugBot hardware Penn Testing Device

  • Who are the attackers?

  • Anonymous – Julian Assange

  • Low Orbit Ion Cannon

  • Advertise links to download botnet

  • DoSHTTP

  • Sprut

  • PHP DoS / Wireshark the results

  • Detection Techniques

  • Activity Profiling

  • Change point Detection

  • Wavelet-based Signal Analysis

  • Time and Frequency to determine the presence of an anomaly

  • Ingress Filtering

  • Egress Filtering

  • TCP Intercept

  • Access-list access-list-number {deny | permit} tcp any destination destination-wildcard

  • Ip tcp Intercept list access-list-number

  • Ip tcp intercept mode {intercept | watch}

  • Countermeasures

  • Absorb the Attack

  • Stop Non-Critical Services

  • Stop / Wait

  • Protect Secondary Victims

  • Neutralize Handlers

  • Traffic Analysis

  • Find the Botnet

  • Find Spoofed Source Addresses

  • Prevent the Attack

  • Post Forensics

  • Traffic Analysis

  • Router, firewall, IDS logs, Server Logs

  • Mitigate the Risk of the attack

  • Load Balancing

  • Throttling

  • Deflection / Clustering, Failover, etc…

  • Protection

  • IntelliGuard DDoS Prevention System

  • Tools

  • NetFlow Analyzer (OpManager)

Session Hijacking

Session Hijacking Concepts

  • Why does it work?

  • Clear text transmission

  • Indefinite session expiration time

  • Weak session ID’s and Authentication

  • No Account Lockouts

  • Small Session ID’s

  • Insecure Handling

  • Differences

  • Spoofing Attack (breaking authentication / authorizing)

  • Hijacking (Active)

  • Techniques

  • Brute Forcing

  • Cross Site Scripting

  • http://www.ser ver.com/K20120304.08.08.08

  • Stealing Network information

  • HTTP Referrer Attack

  • Trick someone to click a link

  • Calculating new generating id’s and scripting the results to a vulnerable victim

  • Steps for Session Hijacking

  • Sniff Traffic

  • Monitor Sequence Number

  • Session ID Prediction

  • Session De-synchronization

  • Take Over Session

  • Start Injecting Traffic

  • Types

  • Active (Take Over)

  • Passive (just sniff)

  • Modes

  • Network Level Hijacking (TCP/IP)

  • Application Level Hijacking

  • Man-In-The-Browser

  • Client Side Attacks

  • XSS
  • Malicious JavaScript
  • Trojans
  • Capture Session ID to Web Server

  • Predict the Session token

  • Conduct MITM

  • Session Fixation = means to trick the user!

Network Level Session Hijacking

  • TCP/IP Hijacking

  • 3 Way Handshake Review

  • Sequence Number – 32 bit field. How Many Calculations? ____

  • Calculate them with TCP Flow

  • RST Hijacking

  • Injecting a RST Packet with spoofed source to predict ACK number

  • You can do this with Hping
  • IP Spoofing: Source Routed Packets

  • MitM

  • UDP Hijacking

  • Give a UDP reply on behalf of a server

  • Blind Hijacking

  • Where you cant see the results / response

  • Tools

  • Paros

  • Burp Suite

  • Firesheep Expired

  • Ferret

  • Hamster

  • Ettercap

  • Hunt

  • Countermeasures

  • Use SSL

  • HTTPS for authentication

  • Logout functionality

  • Generate session ID after login

  • Long random numbers

  • Use encrypted data, not just login

  • Defense

  • OpenSSH

  • Strong Authentication for VPN’s

  • AntiSpoof Rules

  • Watch ARP Cache

  • Monitor Traffic

  • IPSec

  • Network level Peer authentication

  • Data origin authentication

  • Data integrity

  • Data confidentiality

  • Replay protection

  • Transport Mode

  • NAT ok…

  • Tunnel Mode

  • No NAT

  • Key management

  • IPSec Driver

  • IKE

  • ISAKMP

  • Oakley

  • IPSec Policy Agent

Hacking Webservers

  • Wikileaks

  • Webserver Concepts

  • Market Share

  • IIS 26%

  • Apache 54%

  • Nginx, Lighttpd, Google,

  • Open Source Webserver Architecture

  • Apache

  • PHP
  • MySQL
  • IIS

  • Svchost
  • http.sys
  • Webserver Threats

  • Website Defacement

  • Compromised?

  • Lack of security policy

  • Misconfigurations

  • Bugs

  • Default settings

  • Unpatched security flaws

  • Unnecessary services

  • Improper file permissions

  • Redundant backup files

  • No SSL certificate

  • Improper authentication

  • Security Conflicts

  • Verbose debugging

  • Anonymous / default user passwords

  • Config scripts left on server

  • Impact

  • Data Tampering

  • Compromise User Accounts

  • Defacement

  • Data Theft

  • Root the whole server

Attack methodology

  • Directory Traversal Attacks ../

  • HTTP Response Splitting

  • Web Cache Poisoning

  • HTTP Response Hijacking

  • SSH Brute Force Attack

  • MITM

  • Webserver Password Cracking

  • Invalidated Input

  • Parameter / Form Tampering

  • Directory traversal

  • SQL Injection Attacks

  • Command Injection Attacks

  • File Injection Attacks

  • XSS

  • Cross Site Request Forgery (CSRF) Attack

  • Denial-of-Service (DoS) Attack

  • Buffer Overflow Attacks

  • Hacking Steps

  • Information Gathering

  • Whois

  • Internet

  • Newsgroups

  • linkedIn

  • Httprint

  • httprecon

  • Webserver Footprinting

  • News.NetCraft.net

  • IDServe

  • Metagoofil (craw website)

  • Mirror the Website

  • HTTrack

  • Website Copier

  • BlackWidow

  • DirBuster

  • Scan for Vulnerabilities

  • Nessus

  • OpenVAS

  • Session Hijacking

  • Burp

  • Hacking Webserver Passwords

  • Brutus, THC-Hydra

  • Webserver attack tools

  • Metasploit

  • Show Consoles

  • Msfconsole

  • Msfcli

  • Msfweb

  • Msfwx

  • Msfapi

  • Steps: Configure Active Exploit, Verify Options, Select Target, Select Payload, Run

  • Other Tools

  • Wfetch

  • Brutus

  • Countermeasures

  • Patches / Updates

  • Lock down server

  • IISLockdown

  • Defense

  • Registry

  • Shares

  • IIS Metabase

  • ISAPA Filters

  • Script Mappings

  • Virtual Directors

  • Auditing

  • Patch Management

  • Detect

  • MBSA

  • Assess

  • Acquire

  • Test

  • Deploy

  • Manual

  • Automatic

  • Maintain

  • Webserver Security Tools

  • GFI Languard

  • Altiris

  • Microsoft

  • Sandcat

  • Wikto

  • HackAlert

  • Retina

  • SAINT

  • Pen Testing

  • Identify infrastructure

  • Verify vulnerabilities

  • Remediation of vulnerabilities

Hacking Web Applications

  • News

  • Flow

  • Web App Concepts

  • 80% cross site scripting

  • 62% SQL injecting

  • Web 1.0 vs. Web 2.0 (youtube, linkedin)

  • Components

  • Login

  • The web server

  • Session tracking

  • Data store

  • User permissions

  • System admin role

  • The actual applications

  • Web App Threats

  • Hacking Methodology

  • Countermeasures

  • Security Tools

  • Web App Pen Testing

The New You

  • Blogs

  • AJAX (Gmail, YouTube)

  • Mobile iPhone

  • Flash Rich Interface

  • Frameworks

  • Cloud computing

  • Interactive encyclopedias / dictionaries

  • Online software Google Docs

  • Advanced gaming

  • RSS

  • Social Networking site integration

  • Mash-up technology

  • Wiki’s

  • Usefulness tools, Google maps

  • Vulnerabilities – Review OSI Model

Basic Web Application Threats

  • Invalidated Input

  • Validated user generated data to a proper database query

  • Directory traversal

  • ../../

  • Cookie Poisoning

  • Modify Cookie Contents

  • Inject Malicious Content

  • Rewriting the Session Data

  • Cross Site XSS

  • Inject client-side script into web pages

  • Can be sent via email to steal cookies of the user

  • From Blog Post

  • From Comment Field

  • XSS Cheatsheet

  • Injection Flaws

  • SQL Injection

  • CMD Injection

  • Shell Injection

  • HTML Embedding

  • File Injection

  • LDAP Injection

  • SQL Injection

  • Cross Site Request Forgery (CSRF)

  • Allows an attacker to force a victims browser to send malicious requests they did not intend

  • Parameter / Form Tampering

  • Cust.asp?profile=82&debt=1500

  • To view, delete, add..

  • Insecure Storage

  • Web Service Attack

  • SOAP

  • WSDL

  • UDDI for footprinting XML

  • XML Poisoning

  • Information Leakage

  • Hidden Field Manipulation

  • Improper Error Handling

  • Insecure Cryptographic Storage (Des key,etc.._)

  • Broken Access Control

  • Security Misconfiguration

  • Unpatched flaws

  • Server config problems

  • Improper authentication

  • Unnecessary services

  • Server software flaws

  • Broken Session Management

  • SessionID in URL

  • Timeout Exploitation

  • Password Exploitation

  • Buffer Overflow

  • Log Tampering

  • Broken Account Management

  • DoS

  • Login Attacks

  • User Registration DoS

  • User Enumeration

  • Account Lock-Out Attacks

  • Threats

  • Platform exploit

  • Insecure direct object references

  • Insecure cryptographic storage

  • Authentication hijacking

  • Network access attacks

  • Web services attacks

  • Cookie snooping

  • Obfuscation application

  • Insufficient transport layer protection

  • DMZ protocol attacks

  • Unvalidated redirects and fowrwards

  • Session fixation attack

  • Malicious file expentsion

  • Security management expoits

  • Failure to restrict URL access

Web Hacking Methodology

  • Footprint Web Infrastructure

  • Server Discovery

  • Whois

  • DNS

  • Port Scan

  • Service Discovery

  • Zenmap

  • Banner Grabbing

  • Server identification

  • Hidden Content Discovery

  • Brute Forcing

  • Attacker-Directed Spidering

  • Web Spidering

  • Paros
  • Burp
  • webscarab
  • Attack Web Servers

  • UrlScan

  • Nikto

  • Nessus

  • WWWhack

  • Acunetix

  • WebInsepect

  • Analyze Web Applications

  • Identify Entry Points for User Input

  • Burp

  • Httprint

  • Webscarab

  • paros

  • What service side functionality

  • Examine URL’s

  • Look at Token ID

  • What server side technologies

  • Teleport Pro

  • Blackwidow

  • Map the attack surface

  • List information to attack vector

  • Attack Authentication Mechanism

  • Username Enumeration

  • Verbose failures

  • Account Username Not Found
  • Predictable usernames

  • Password Attacks

  • Guess it

  • Hydra, JTR, WebCracker, Burp, THC Hydra
  • Brute force it

  • Need dictionary files?
  • Brutus
  • Burp
  • Functionality exploit

  • Password changing
  • Password recovery
  • Remember me exploits
  • Session Attacks

  • Session prediction

  • Session brute force

  • Session poisoning

  • Session Token Generation

  • Session token Sniffing

  • Session Replay

  • Session MITM

  • Cookie Exploitation

  • Cookie poisoning

  • Paros
  • Burp
  • Cookie sniffing

  • Cookie replay

  • Attack Authorization Schemes

  • Cookies

  • URL

  • Hidden Tags

  • Query Strings

  • POST data

  • HTTP Headers

  • Attack Session Management

  • Perform Injection

  • LDAP

  • SQL

  • Web Scripts

  • OS Commands

  • SMTP

  • Attack Data Connectivity

  • Get data from DB

  • Connection String parameter Polution

  • Hash Stealing

  • Port Scanning

  • Hijacking Credentials

  • Attack Web App Client

  • XSS

  • Session Fixation

  • Redirection Attacks

  • Frame Injection

  • Request Forgery Attacks

  • Privacy Attacks

  • ActiveX Attacks

  • HTTP Header Injection

  • Attack Web Services

  • SOAP

  • XML Injection

  • Recursive Payloads

  • Oversize Payloads

  • SoapUI

  • XMLSpy

  • Burp Suite

  • Cookie Digger

  • WebScarab

  • Countermeasures

  • URL Encoding %3d

  • HTML Encoding ≶ <

  • Unicode Encoding

  • Base64 Encoding

  • Hex Encoding

  • Learn how to defend against

  • SQL Injection

  • Injection

  • XSS

  • DoS

  • Tools

  • Acunetix Web Vulnerability Scanner

  • Falcove

  • Netsparker

  • N-Stalker

  • OWASP

  • dotDefender

  • IBM AppScan

  • Server Defender

  • SQL News

  • Flow

  • SQL Injection Concepts

  • Threats

  • Changing a Price
  • Escalation of Privilege
  • DoS
  • Disclosure of Data
  • Destruction of data
  • Modify records
  • Spoof Identity
  • Attacks

  • Authentication Bypassing
  • Information Disclosure
  • Compromise Data Integrity
  • Compromised Availability of Data
  • Remote Code Execution

  • Testing for SQL Injection

  • Union

  • Blah’ UNION Select 0, username, password 0 from users –

  • Update

  • Blah’; UPDATE jb-customers SET jb-email = ‘info@leo.com’ WHERE email =‘leo@leo.com’ –’;

  • Modify Data

  • Blah’ INSERT INTO jb-customers (‘jb-email’,’jb-password’,’jb-login_id’,’jb-last_name’) VALUES (‘leo@leo.com’,’hello’,’leo’, leo dregier’);--

  • Tablename

  • Blah’ AND 1=(SELECT COUNT(*) FROM mytable); --

  • Deleting a Table

  • Blah’; DROP TABLE Creditcard; --

  • Testing

  • Error Messages

  • Detect

  • Fuzzing Testing

  • Function Testing

  • Strategic / Dynamic Testing

  • Detect SQL injection Issues

  • Detection SQL Modification

  • Detecting Input Sanitization

  • Detecting Truncation Issues

  • Types of SQL Injection

  • SQL Injection

  • Union Query

  • =1 UNION SELECT ALL 1, DB_NAME, 3,4 –
  • =1 UNION SELECT ALL 1, name, 3, 4, from sysobjects where xtype=char(85)—
  • =1 UNION SELECT ALL 1, column_name, 3, 4 from DB_NAME.information_schema columns where table_name = ‘EMPLOYEE_TABLE’--
  • Tautology

  • System Stored Procedure

  • End of Line Comment

  • Illegal Logical Incorrect Query

  • Blind SQL Injection

  • No Error Messages

  • Generic Price

  • Time-Intensive

  • WaitForDelay ‘00:00:10’--

  • SQL Injection Methodology

  • Information Gathering

  • Extract DB name, etc…
  • Database Types
  • Privilege Level
  • OS Interaction
  • Error Messages
  • Grouping Error
  • Type Mismatch
  • Blind Injection
  • SQL Injection vulnerability detection

  • ;
  • ==
  • Launch SQL injection Attacks

  • Error based
  • Union based
  • Extract the Data

  • Table names, column name, table name
  • Interact with the OS

  • Get application passwords
  • Compromise the Network

  • Advanced Enumeration

  • Oracle
  • MS Access
  • MySQL
  • MS SQL Server
  • Attacks

  • Create database accounts
  • Password grabbing
  • Grabbing SQL Server Hashes
  • Transfer the Database

  • SQL Injection Tools

  • BSQLHacker

  • Marathon Tool

  • SQL Power Injector

  • Havij

  • Absinthe

  • Sqlmap

  • Sqlninja

  • Sqlbf

  • Sqllier

  • Sqlsus

  • Sqlexec

  • sqldict

  • Evasion Techniques

  • Evading IDS

  • Signature Evasion

  • Sophisticated Matches
  • Hex Encoding
  • Manipulating White Spaces
  • Obfuscated Codes
  • String Concatenation
  • Char Encoding
  • In-line comment
  • Countermeasures

  • Use Type-Safe SQL Parameters

  • Reject a lot of entries

  • Small query set
  • Multiple layers of validation

  • Microsoft Source Code Analyzer

  • UrlScan

  • dotDefender

  • IBM App Scan

  • Snort Rules can Detect


Share in:

Related:

Test taking tips & tricks iconTest taking tips & tricks

Test taking tips & tricks iconVu Tips and Tricks

Test taking tips & tricks iconIMovie Tips and Tricks

Test taking tips & tricks iconUser guide Tips and Tricks

Test taking tips & tricks iconTips & Tricks For Using Your Blackberry Bold More Efficiently

Test taking tips & tricks iconTips and Tricks for Automotive Locksmithing Part 1

Test taking tips & tricks icon99 Tips for eBay Buyers and Sellers is a digest of some of the best...

Test taking tips & tricks iconTo xplorer² !! We've got some great tips and tricks for you, so please...

Test taking tips & tricks iconTo xplorer² !! We've got some great tips and tricks for you, so please...

Test taking tips & tricks iconThis page was created to give the users of pcdj a centralized location...

Test taking tips & tricks iconOnce you have connected your camera to the computer and opened the...

Test taking tips & tricks iconMosfet Testing Tips-Test Fet with Analog Multimeter

Test taking tips & tricks iconThank you for considering taking internship in Fashion Division with Time International

Test taking tips & tricks iconTaking advantage of CareerBuilder’s web services and other systems put in place to

Test taking tips & tricks iconBefore taking to the track, it is important that you complete a thorough...

Test taking tips & tricks iconA beginning is the time for taking the most delicate care that the...

Test taking tips & tricks iconJustin bounced the ball in his driveway lazily, looking up at the...

Test taking tips & tricks iconPurpose: This handbook is designed to help unit commanders and nco...

Test taking tips & tricks iconTest Reports: Manufacturer’s Printed Test Report via a Tektronics...

Test taking tips & tricks iconGeneral tips




manual


When copying material provide a link © 2017
contacts
manual-guide.com
search