Certified Security Testing – (CPSA/CRT) Exam Prep

Infrastructure Ethical Hacking

1.Introduction

• Motivations behind hacking
• The hacking scene
• Methodology

2.Networking Refresher

• Sniffing Traffic – Wireshark, Ettercap

3.Information Discovery

• Information Gathering – wget, metadata, pdfinfo & extract
• DNS – dig, zone transfers, DNSenum and Fierce

4.Target Scanning

• Host Discovery – Nmap and Netdiscover
• Port Scanning with Nmap – Connect, SYN and UDP scans, OS detection
• Banner Grabbing – Amap, Netcat, Nmap, Nmap scripts (NSE)

5.Vulnerability Assessment

• Nikto
• Nessus

6.Attacking Windows

• Windows Enumeration – (SNMP, IPC$)
• Enum4linux
• RID Cycling – Enum4linux, Cain
• Metasploit
• Client-side Exploits – Internet Explorer, Metasploit Auxiliary modules

7.Privilege Escalation – Windows

• Information Gathering with Meterpreter – Stuxnet exploit, Meterpreter scripts
• Privilege Escalation – Keylogging, Service Configuration
• Password Cracking – John The Ripper, Cain, Rainbow tables
• Brute-Force Password Attacks
• Attacks on Cached Domain Credentials
• Token Stealing – PsExec, Incognito, local admin to domain admin
• Pass the Hash

8.Attacking Linux

• Linux User Enumeration
• Linux Exploitation without Metasploit
• Online Password – Cracking – Medusa
• User Defined Functions
• ARP Poisoning Man in the Middle – clear-text protocols, secured protocols

9.Privilege Escalation – Linux

• Exploiting sudo through file Permissions
• Exploiting SUID and Flawed Scripts – logic errors
• Further Shell Script Flaws – command injection, path exploits
• Privilege Escalation via NFS
• Cracking Linux Passwords

10.Pivoting the Connection

• Pivoting with Meterpreter
• Port Forwarding

11.Retaining Access

• Netcat as a Backdoor
• Dark Comet RAT – Metasploit Handlers, a full end-to-end attack

12.Covering Tracks

• Alternative Data Streams
• Dark Comet

Web App. Ethical Hacking

1.Principles

• Web refresher
• Proxies
• The OWASP Top Ten
• Web application security auditing
• Tools and their limitations
• HTTP request and response modification
• Logic flaws

2.Injection

• Types
• Databases overview – data storage, SQL
• SQL injection – data theft, authentication
• Bypass, stored procedures
• Information leakage through errors
• Blind SQL injection

3.Broken Authentication and Session Management

• Scenarios
  Attacking authentication pages
  Insecure Direct Object Reference
• Direct vs indirect object references
• Authorization
• Cross-site Request Forgery (CSRF)
• Exploiting predictable requests

4.Cross-site Scripting (XSS)

• JavaScript
• Email spoofing
• Phishing
• Reflected and Stored/Persistent XSS
• Cookies, sessions and session hijacking

5.Insecure Direct Object Reference

• Scenarios
• Information leakage through logs

6.Security Misconfiguration

• Scenarios

7.Sensitive Data Exposure

• Identifying sensitive data
• Secure storage methods

8.Un-validated Redirects and Forwards

• Scenarios

9.Conclusions