Foundstone Ultimate Hacking Training Class

Day 1 - Setting the Foundation

Set the foundation in which penetration tests are performed. Emphasis is
placed on the importance of performing the work in a methodical and thorough
manner.

1. Internet Footprinting

• Reviewing publicly available information


• Network and domain enumeration


• "whoislookups


• ARIN lookups


• DNS Interrogation


• Zone transfers


• Network reconnaissance

2. Scanning/Landscape Discovery

• Ping sweeps


• Port scanning


• Banner grabbing


• OS guessing

3. Footprinting Lab

Use the tools and techniques taught on day one to footprint and scan
Foundstone's Footprinting Network in Irvine, California. The Footprinting
Network consists of a wide variety of machines on the Internet (Windows, Red
Hat, Solaris, HP-UP, AIX, etc.). These machines are specifically made available
to the class for the purpose of running live scans. The appropriate entries in
ARIN and Network Solutions have also been made so that students can perform
actual lookups against those databases. This lab gives students the opportunity
to run the tools in a realistic manner against live machines on the Internet.

Day 2 - Windows

Begin with a basic overview of Windows security, followed by Foundstone's
methodology for hacking and securing these systems. During the lecture portion
of the day, there will also be test machines for student experimentation.

1. Hacking Windows

• Windows security overview
  
  
  
  • SIDs and RIDs
  
  
  • LSASS
  
  
  • SAM
  
  
  
  


• Domain and network relationships
  
  
  
  • Footprint/scan
  
  
  • Identify OSs
  
  
  • Identify services
  
  
  
  


• Enumerate
  
  
  
  • Computer roles
  
  
  • Users and groups
  
  
  • Discovering Network Topology
  
  
  • Services and pipes
  
  
  • Hardware
  
  
  • LDAP
  
  
  
  


• Penetrate
  
  
  
  • Windows passwords
  
  
  • Password guessing
  
  
  • Password sniffing
  
  
  • Password cracking
  
  
  
  


• Escalate
  
  
  
  • Windows attacks
  
  
  • Named Pipes prediction attack
  
  
  
  


• Pillage
  
  
  
  • Auditing
  
  
  • Log cleaning
  
  
  • Grabbing the SAM
  
  
  • Windows password cracking
  
  
  • Syskey
  
  
  • Important registry keys
  
  
  • Finding "hiddenplaintext passwords
  
  
  
  


• Get interactive
  
  
  
  • netcat shells
  
  
  • PsExec command shell
  
  
  • PushVNC graphical desktop
  
  
  
  


• Expand influence
  
  
  
  • Sniffers
  
  
  • Keystroke Loggers
  
  
  • Remote Control Packages
  
  
  
  

2. Windows Lab

The day ends with a hands-on lab involving four target machines. Students
will follow the methodology and employ the tools taught during the day in order
to compromise the final machine. This "capture the flagstyle exercise is
best performed in teams and will take a couple of hours to complete.

Day 3 - UNIX

Day three focuses on UNIX. Once again, methodology is emphasized throughout
the day. Linux and Solaris machines are available during the day to experiment
and test the newly taught techniques.

1. Hacking UNIX

• UNIX landscape discovery


• UNIX host enumeration


• Remote attacks
  
  
  
  • Brute force attacks
  
  
  • Remote buffer overflows
  
  
  • Input validation attacks
  
  
  • Creating back channels
  
  
  • Common remote attacks
  
  
  
  


• Local attacks
  
  
  
  • UNIX passwords
  
  
  • UNIX password cracking
  
  
  • Race condition attacks
  
  
  • Local buffer overflows
  
  
  • File and directory permission attacks
  
  
  
  


• Beyond root
  
  
  
  • Network mapping
  
  
  • Rootkits
  
  
  • Trojans
  
  
  • Backdoors
  
  
  • Sniffers
  
  
  • Loadable kernel modules
  
  
  
  

2. UNIX Lab

This hands-on lab involves four UNIX target machines (Linux and Solaris).
Students will be required to use the methodology, tools, and techniques taught
earlier during the day in order to successfully complete this multi-hour lab.

Day 4 - Network Hacking & Web Hacking

The material taught on day four is not operating-system specific. Router and
firewall vulnerabilities and weaknesses are covered in the network hacking
module. Port redirection to bypass firewalls and other filtering mechanisms is
also covered in detail with a hands-on exercise. Hacking web-based applications
and a discussion of Foundstone's eCommerce application review methodology are
covered in the web hacking module.

1. Network Hacking

• Router issues
  
  
  
  • Vulnerabilities
  
  
  • Services
  
  
  • Passwords
  
  
  
  


• Routing issues
  
  
  
  • Path integrity
  
  
  • IP spoofing
  
  
  • Denial of service
  
  
  
  


• Firewall architectures


• Firewall attack scenarios
  
  
  
  • Insider
  
  
  • Vulnerable services
  
  
  
  


• Firewall identification and enumeration
  
  
  
  • Banner grabbing
  
  
  • ACL enumeration
  
  
  
  


• Port identification


• Liberal ACLs


• Port redirection
  
  
  
  • datapipe
  
  
  • fpipe
  
  
  
  

2. Web Hacking

• E-commerce primer


• Information gathering
  
  
  
  • Port scanning
  
  
  • Web reconnaissance
  
  
  • Enumeration
  
  
  • Vulnerability checking
  
  
  • Site duplication
  
  
  • Source sifting
  
  
  • Key field enumeration
  
  
  
  


• Viewing source
  
  
  
  • Active server pages
  
  
  • Common gateway interface
  
  
  • Cold fusion
  
  
  
  


• File system traversal
  
  
  
  • The infamous ".." or "dot dot" bugs
  
  
  • CIM
  
  
  
  


• Input validation
  
  
  
  • Metacharacters
  
  
  • Field overflows
  
  
  • Application buffer overflows
  
  
  • Server side includes
  
  
  • Hidden tags
  
  
  • IIS unicode
  
  
  • Local command execution
  
  
  
  

3. Ultimate Lab

The course concludes with a lab involving routers, NT/2000, UNIX, and web
hacking. It is a multi-OS lab that will require using tools and techniques from
all four days. Teamwork is essential in order to complete the lab. This lab
typically takes several hours to complete.

If you are a system and network administrator, security personnel, an
auditor, and/or consultant