Title: SANS SEC560: Network Penetration Testing and Ethical Hacking
Post by: don on March 01, 2008, 04:02:10 PM
SANS SEC560 (http://www.sans.org/info/25034) is the course that is tied to the new GPEN credential. I've taken the liberty of putting together the daily outline into a single document to share with you all:
Planning, Scoping, and Recon
Successful professional penetration testers and ethical hackers must carefully prepare before their projects, and this detailed session covers that strategies and tactics for doing so effectively. We cover building a penetration testing and ethical hacking infrastructure that includes the appropriate hardware, software, network infrastructure, and test tools arsenal, with specific low-cost recommendations for maximizing your effectiveness on a limited budget. This portion of the course also describes how to plan the specifics of a test, carefully scoping the project and defining the rules of engagement with target environment personnel. We survey the various legal issues associated with the penetration testing and ethical hacking craft in various countries around the world.
After this detailed analysis of preparation, the session changes topics to deal with reconnaissance, the initial phase of most penetration tests and ethical hacking projects. We'll look at maximizing the usefulness of information from public sources, including detailed and advanced DNS interrogations, whois look-ups, and late-breaking search engine vulnerability finding tools. We'll also look at emerging recon suites and how we can best position them in our testing regimens.
The mindset of a professional penetration tester and ethical hacker
Types of penetration tests and ethical hacking projects, with an overview of various testing methodologies
Limitations of penetration testing, and how testing fits into an overall security program
Building a testing infrastructure, including practical recommendations for selecting hardware, tools, and network infrastructures
Defining rules of engagement and scoping a project
Exercise: Dealing with an ambiguous pen test RFP
Legal issues with penetration testing around the world
Reporting - how to achieve business focus and technical depth
A pen tester's tool chest of reconnaissance resources
Whois lookups - maximizing the usefulness of registrars, Autonomous System Numbers, etc.
DNS lookups with nslookup, dig, Sensepost's BiLE, etc.
Search engine vulnerability-finding tools: Aura, Wikto, EvilAPI, and more
This component of the course focuses on the vital task of scanning a target environment, creating a comprehensive inventory of machines and then evaluating those systems to find potential vulnerabilities. We'll look at some of the most useful scanning tools freely available today, experimenting with them in our hands-on lab. Because vulnerability-scanning tools inevitably give us false positives, we'll conduct an exercise on false-positive reduction, analyzing several methods for getting inside of what our tools are telling us to ensure the veracity of our findings. Our hands-on exercises include the creative use of packet crafting to measure the fine-grained behavior of target machines, all while watching the action from a custom-configured sniffer. We also look at some of the late-breaking features of popular tools, including the latest Nmap Scripting Engine capabilities.
Types of scans - Network sweeps, network tracing, port scans, OS fingerprinting, version scans, and vulnerability scans
Overall scanning tips - tcpdump for the pen tester, protocol anomalies, and troubleshooting
Exercise: Packet crafting for the pen tester with Hping3 and monitoring with tcpdump
Network tracing in-depth with traditional traceroute and exotic network mapping techniques
Port scanning in-depth with the latest Nmap features
Exercise: Finding vulnerabilities with the Nmap Scripting Engine (NSE)
Version Scanning with Nmap and Amap
Exercise: False positive reduction
Exercise: Comprehensive vulnerability scanner configuration
In this section, we look at the many kinds of exploits that a penetration tester or ethical hacker can use to compromise a target machine. We'll analyze in detail the differences between server-side, client-side, and local privilege escalation exploits, exploring some of the most useful recent exploits in each category. We'll see how these exploits are packaged in frameworks like Metasploit. We'll go over some of the more advanced Metasploit options, including its mighty Meterpreter, discussing some of the best features in this really powerful payload that are hugely helpful for penetration testers and ethical hackers.
We'll also look at some of the common pitfalls that we face when running exploits, as well as methods for mitigating, dodging, or even eliminating those issues. Finally, we'll zoom in on Windows. With its 80+% market share and regular discovery of vulnerabilities and release of exploits, the culmination of exploitation is often a command shell on a Windows box. We'll see how to maximize the effectiveness of that access, activating RDP, VNC, and installing SSH, all from a command prompt. Almost every topic covered in this session includes hands-on exercises to give attendees practical experience in using these techniques. Topics include:
Exploit categories - server-side, client-side, and local privilege escalation
Comprehensive Metasploit Framework coverage - exploits, stagers, stages and how penetration testers can get the most value out of subtle but powerful features
Exercise: Using Metasploit to get remote shell via server-side flaw
The Metepreter in depth, including file, process, and network interactions and the priv module
Exercise: Advanced usage of the Meterpreter payload
Exercise: Non-Metasploit exploits - using a raw exploit to gain access
The dilemma of command shell vs. terminal access
Exercise: Bypassing the dilemma on Linux/Unix and Windows
Installing and activating VNC, RDP, sshd, and telnet services from a command shell
Moving files with exploits cross platform
Windows command line kung fu specifically targeted at pen testers: making ping sweepers, port scanners, reverse DNS lookup tools, and password guessers at the command-line
Exercise: Challenging your kung fu
Exercise: Making Windows run commands remotely with psexec, sc, and wmic
This component of the course turns our attention to password attacks, analyzing password guessing, password cracking, and pass-the-hash techniques in depth. Because passwords remain the dominant authentication scheme of most enterprises, professional penetration testers and ethical hackers need to understand how to find password weaknesses in a target environment. We'll go over numerous tips based on real-world experience to help penetration testers and ethical hackers maximize the effectiveness of their password attacks. We'll cover one of the best automated password-guessing tools available today, THC Hydra, and run it against target machines to guess Windows SMB and Linux SSH passwords. We'll then zoom in on the password representation formats for most major operating systems, discussing various cracking tools in-depth.
We'll do exercises in which well patch the John the Ripper password cracker so that it can support NT hashes, and then compare its performance when compiled for different kinds of processor types. We'll look at the amazingly full-featured Cain tool, running it to crack sniffed Windows authentication messages. We'll see how Rainbow tables work to make password cracking much more efficient, and run a hands-on exercise using the technique. And, we'll finish the day with a lively discussion of a really powerful attack vector that doesn't require password cracking, but instead uses captured encrypted credentials to access Windows machines directly, in a so-called "pass-the-hash" attack, using customized Samba code for a hands-on exercise illustrating the technique. Specific topics include:
The primacy of passwords
Password attack tips: Making the most of password attacks in a safe and efficient manner
Account lockout and strategies for avoiding it
Password Guessing with THC-Hydra
Exercise: Using THC-Hydra and throttling guesses to avoid problems
Password representation formats in depth: Windows LANMAN, NT, NTLMv1, NTLMv2, Unix DES, and Linux MD5
Exercise: Dumping Windows hashes with fgdump, via an instrumented Netcat relay
John the Ripper features for penetration testers
Exercise: Patching John for NT hashes, comparing MMX vs. non-MMX performance, and cracking LANMAN, NT, and Linux MD5 representations
Cain: The pen tester's dream tool
Exercise: Cain sniffing and cracking NTLMv1 challenge/response exchanges
Rainbow table attacks in depth: How the tables work and how you can use them for more efficiency
Exercise: Using Ophcrack, booting ISOs via a VMX file, and applying Rainbow Tables
Pass-the-hash attacks against Windows: Using hashes without even cracking a password
Exercise: Pass-the-hash hands-on against Windows via Foofus patches for Samba
Wireless and Web Apps
With the increasing use of wireless networking technologies, professional penetration testers and ethical hackers are often called upon to evaluate these infrastructures for flaws. This section of the course describes methodologies for finding common wireless weaknesses, including misconfigured access points, application of weak security protocols, and the improper configuration of stronger security technologies.
The second half of this session focuses on web application penetration testing, looking for the numerous flaws that impact commercial and homegrown web apps. Attendees will work hands-on with tools that can find Cross-Site Scripting (XSS) and Cross-Site Request Forgery (XSRF) flaws, experimenting with each in a hands-on exercise. We'll look at command injection and directory traversal flaws, experimenting with them in hands-on exercises. Finally, the session deals with the sometimes devastating SQL injection flaws and session cloning issues that have resulted in significant website compromises.
Web application scanning and exploitation tools
Exercise: Scanning a web app for flaws
Web application manipulation tools
Exercise: Using Paros Proxy to target a web app
The myriad of web application injection attacks
Exercise: XSRF, XSS, session cloning, and command injection hands-on
Building a wireless testing rig
Finding unsecured access points and peer-to-peer systems
Identifying common wireless misconfigurations
Wireless protocol problems and how a penetration tester can exploit them
Capture the Flag Event
This lively session represents the culmination of the network penetration testing and ethical hacking course, where attendees will apply the skills that they've mastered throughout all the other sessions in a hands-on workshop. The rest of the course covers the overall process for successful testing, with a series of hands-on exercises individually illustrating each point. But here, in this final workshop, all of the exercises converge into an overall network penetration-testing workout. Operating as part of a team, attendees will conduct a penetration test of a target environment in the classroom, following all of the steps of a professional penetration tester and ethical hacker. You'll have to scan for flaws, use exploits, unravel technical challenges, and dodge firewalls, all the while analyzing and documenting your results in a comprehensive manner. Teams will compete with each other to be the first to win the Capture the Flag game that is the centerpiece of this workshop.
Hope this sheds a little more light on what's involved in the course. As with most of SANS classes, there is a cert exam that goes along with it that does not match the name of the course itself.