Section 1: Ethernet and IP Operation
- OSI Network Model
- Application Layers
- Network Services Layers
- Moving Data Through The Stack
- Data Link Layer Format
- Ethernet Operation
- Hub and Switch Operation
- Ethernet Security Issues
- Detecting Promiscuous NICs
- Network Packet Capture
- tcpdump
- Ethereal
- IPv4
- IP Addressing
- Differentiated Services
- IP Fragmentation
- Path MTU Discovery
- ARP
- ICMP
- ICMP Redirects
- Important ICMP Messages
- ICMP Security Issues
- Protecting Against ICMP Abuse
Lab 1 - Basic Traffic Generation, Capture, and Analysis
- Capture and analyze ARP traffic with a variety of tools
- Capture and analyze ICMP echo, unreachable, and redirect
messages Explore the differences between a variety of traffic
- - Capture utilities and their interfaces and options
Section 2: IP and ARP Vulnerability Analysis
- IP Security Issues
- IP Routing
- Routing Protocol Security
- Protecting Against IP Abuse
- ARP Security Issues
- Cache Poisoning with ARP Replies
- Cache Poisoning with ARP Requests
- ARP Cache Poisoning Defense
Lab 2 - Advanced Traffic Generation, and Capture
- Learn to use a variety of tools to generate traffic,
including forged headers.
- Use ARP cache "poisoning" to capture traffic
on a switched LAN Use various techniques to discover if
a NIC is in promiscuous mode.
Section 3: UDP/TCP Protocol and TELNET Vulnerability Analysis
- User Datagram Protocol
- UDP Segment Format
- Transmission Control Protocol
- TCP Segment Format
- TCP Port Numbers
- TCP Sequence / Acknowledgment #’s
- TCP Three-way Handshake
- TCP Window Size
- The TCP State Machine
- The TCP State Transitions
- TCP Connection Termination
- TCP SYN Attack
- TCP Sequence Guessing
- TCP Connection Hijacking
- Telnet
- Telnet Concepts - Options
- Telnet Concepts - Commands
- Telnet Security Concerns
Lab 3 - Attacks on TCP
- Use forged packets to slow and kill TCP sessions.
- Monitor and hijack a telnet session.
Section 4: FTP and HTTP Vulnerability Analysis
- FTP
- Modes
- Transfer Methods
- Security Concerns
- The Bounce Attack
- Minimizing Risk
- FTP - Port Stealing
- Brute-force Attacks
- Access Restriction
- Privacy
- HTTPv1.1
- HTTP Protocol Parameters
- HTTP Message
- HTTP Request/Method Definitions
- Response/Status Codes
- Proxies
- Authentication
- Security Concerns
- Personal Information
- Attacks On File and Path Names
- Header Spoofing
- Auth Credentials and Idle Clients
- Proxy Servers
Lab 4 - Attacks on FTP and HTTP
- Use dsniff to capture FTP and HTTP passwords.
- Bonus exercise: Use urlsnarf and webspy to monitor
a web browser.
Section
5: DNS Protocol Vulnerability Analysis
- DNS
- DNS Basic Concepts and Terms
- DNS Resolution
- DNS Zone Transfers
- DNS Spoofing
- DNS Cache Poisoning
- DNS Security Improvements
Lab 5 - Attacks on DNS
- Use dnsspoof to forge DNS responses to redirect web
traffic.
- Use forged DNS responses to circumvent host based
access security.
Section 6: SSH and HTTPS Protocol Vulnerability Analysis
- SSH Concepts
- Initial Connection
- Protocols
- SSH1
- SSH2
- Encryption Vulnerabilities
- SSH Vulnerabilities
- SSH1 Insertion Attack
- SSH Brute Force Attack
- SSH1 CRC Compensation Attack
- Bleichenbacher Oracle
- SSH1 Session Key Recovery
- Client Authentication Forwarding
- Host Authentication Bypass
- X Session Forwarding
- HTTPS Protocol Analysis
- SSL Enabled Protocols
- SSL protocol
- SSL Layers
- The SSL Handshake
- SSL Vulnerabilities
- Intercepted Change Cipher Spec
- Intercepted Key Exchange
- Version Rollback Attack
Lab 6 - HTTPS and SSH
- Perform a man-in-the-middle attack on secure web
connections.
- Perform a man-in-the-middle attack on SSH v1
connections.
- Perform a timing and packet length attack on
SSH v1 and SSH v2 connections.
Section 7: Remote Operating System Detection
- OS Detection
- Banners
- Commands
- Less-direct Approaches
- TCP/IP Stack Fingerprinting
- Remote Fingerprinting Apps
- nmap
Lab 7 - Using nmap
- Use the Nmap utility to perform general network
sweep scans.
- Use Nmap to perform a wide variety of scans on
a host.
- Use Nmap to perform TCP/IP fingerprinting for remote
OS detection.
Section 8: Attacks and Basic Attack Detection
- Sources of Attack
- Denial-of-Service Attacks
- Methods of Intrusion
- Exploit Software Bugs
- Exploit System Confiuration
- Exploit Design Flaws
- Password cracking
- Typical Intrusion Scenario
- Intrusion Detection
- IDS Considerations
- Attack Detection Tools
- Klaxon
- PortSentry
- PortSentry Design
- Snort
Lab 8 - Basic Scan Detection
- Examine standard system logs and statistics for
signs of attack.
- Configure portsentry to log port scans from nmap.
- Configure portsentry for active response to port scans.
Section 9: Intrusion Detection Technologies
- Intrusion Detection Systems
- Host Based IDS
- Network Based IDS
- Network Node IDS
- File Integrity Checkers
- Hybrid NIDS
- Honeypots
- Focused Monitors
- Snort Architecture
- Snort Detection Rules
- Snort Logs and Alerts
- Snort Rules
Lab 9 - Exploring Snort
- Install snort.
- Test Snort to see if it detects Nmap scans.
- Use Snort to examine network traffic in decoded
text format.
- Use Snort to capture all network packets in tcpdump-style
binary logs Use tethereal to analyze captured packets
Setup Snort to log to SYSLOG.
Section 10: Advanced Snort Configuration
- Advanced snort Features
- snort Add-ons
- ACID Web Console
- The ACID Interface
- SnortCenter Management
Lab 10 - Snort Tools
- Set up a new MySQL database for use with snort.
- Configure snort to log to the new database.
- Set up and test the ACID analysis tool.
- Setup and configure SnortCenter.
- Install and configure the Linux SnortCenter Sensor
Agent Observe how snort and ACID respond to attacks.
Section 11: Snort Rules
- Snort Rules Format
- Snort Rules Options
- Writing Snort Rules
- Example Rules
Lab 11 - Custom Snort Rules
- Capture packet from exploit that Snort does not
currently detect.
- Write a custom rule for snort to detect the
exploit Verify exploit detection.
Section 12: Linux and Static Routing
- Linux As a Router
- Linux Router Minimum Requirements
- Router Focused Distributions
- Router Specific Settings
Lab 12 - Static Routing
- Configure your host to act as a router.
- Configure and test "automatic" anti-spoofing
protection.
- Configure the system to implement the above automatically
on reboot.
Section 13: Linux Firewalls
- Types of Firewalls
- Application Firewalls:TCP Wrappers
- Application Firewalls: Squid
- Packet Filter: ipchains
- Stateful Packet Filter: iptables
- Firewall Topology
- Recommended Firewall Rules
- Firewall Limitations
- iptables Concepts
- Using iptables
- Advanced iptables Actions
- iptables: A More Secure Approach
Lab 13 - IPtables
- Use iptables to filter traffic destined to your
host.
- Use iptables to log traffic destined to a
specific port on your host.
Section 14: Network and Port Address Translation
- Address Translation
- Configuring NAT and PAT
- NAT Limitations |
