Certified Penetration Testing Consultant

Course Outline

· Course Outline

Packet Capturing

Packet Capturing

Packet capturing using libpcap

Capturing using ncap

Packet Capturing Software

Windump / TCPDump

Usage

Windump & PS

Wireshark

General Settings

Preferences

Capture Settings

Interface Options

Column Settings

Name Resolution Settings

Panes

Capture Options

Menu Shortcuts

Follow TCP Stream

Expert Infos

Packet Reassembly

Capturing VOIP Calls

VOIP Call Filtering

Call Setup

Playing the call

Saving the call into a file

SMB Export

HTTP Export

Layer2 Attacks

Why Layer2?

FBI/CSI Risk Assessment

Ethernet Frame Formats

Different Types of attacks

Switch Learning Process

Excessive Flooding

Macof

Cisco Switches’ Bridging Table Capacities

Mac Flooding Alternative: Mac Spoofing Attacks

Spanning Tree Basics

Frame Formats

Dissectoring

Main BPDU Formats

yersinia

STP Attacks supported in yersinia

Becoming Root Bridge

VLANs

Basic Trunk Port Defined

Dynamic Trunking Protocol (Cisco)

VLAN Hopping Attack

Double Tagging

How DHCP operates?

DHCP Request/Reply Types

DHCP Fields

DHCP Starvation Attack

Rogue DHCP Server Attack

ARP Function Review

Risk Analysis of ARP

ARP Spoofing Attack Tools

ARP Cache Poisoning

How PoE works?

Risk Analysis for PoE

Layer3 Attacks on Cisco Based Infrastructures

Layer 3 protocols

Protocols: BGP

BGP MD5 crack

Protocols: BGP

BGP Route Injection

MP-BGP Route Injection

Protocols: OSPF

Protocols: ISIS

Protocols: HSRP/VRRP

DDoS detection

DDoS prevention

Ingress/egress filtering

Worm detection and protection

DDoS/worm research/future

MPLS

Bi-directional MPLS-VPN traffic redirection

Some More MPLS Attacks

MPLS

Router integrity checking

· Pivoting and Relays

Pivoting

Netcat

Backdoors with nc

Netcat – Basic Usage

Persistent Listeners

Shovel a shell

Shovel a file

Netcat port scanner

Relays

Simple Netcat Relay

Two-Way Netcat Relay – The Newbie Approach

Named Pipes

I/O Streams and Redirection

Relay Scenario 1

Two-Way NC Relay with Named Pipe

Relay Scenario 2

Relay Scenario 3

· IPv6 Attacks

IPv4

IPv6

IPv4 & IPv6 Headers

IPv6 Header Format

End-to-End Principle

Differences with End-to-End

End point filters

Merging IPSEC and Firewall functions

Scanning

ICMPv6

ICMPv6 Neighbor Discovery

IPv6 Attack Tools

DAD DoS Attack

DAD DoS Attack

Auto-Configuration Mechanisms

Autoconfiguration – SLAAC, DHCPv6

Auto-Configuration IPv4 & IPv6

ICMPv6 Types

Neighbor Discovery

ND spoofing

http://www.thc.org/thc-ipv6

Dos-new-ipv6 (THC)

Parasite6 (THC)

Redir6 (THC)

Fake_router6

IPv6 in Today’s Network

Extension Headers

Routing Header

Different Types of Routing Header

RH0 (Deprecated by RFC 5095) Format

Routing Header 0 Attack

Layer 3-4 Spoofing

Transition echanism Threats

IPv6 Firewall

Making existing tools work

Summary

· VPN Attacks

VPNs

VPN Comparison

IPSec

Detecting IPSec VPNs

AH versus ESP

Tunnel mode versus Transport mode

Main mode versus aggressive mode

IKE Main Mode

IKE Aggressive Mode

IPv4 Header

Authentication Header

AH Transport Mode

AH Tunnel Mode

Authentication Algorithms

AH and NAT

ESP with Authentication

ESP in Transport Mode

ESP in Tunnel Mode

IKE

IKE-Scan

IKE-SCAN

Aggressive Mode

Main Mode

Aggressive Mode ID

Aggressive Mode PSK Attacks

Aggressive PSK Cracking

Aggressive Mode ID Enumeration

Main Mode PSK Attacks

Main Mode PSK Cracking

Main Mode Policy Enumeration

IKECrack

IKEProbe

IKE-PROBE

Other VPN Flaws

Insecure Storage of Credentials on VPN Clients

Username Enumeration

· Defeating SSL

Outline

How SSL Works

Certificate Types

Certificate Chaining

Chain of trust

Verifying a Certificate Chain

Certificate Chain That Cannot be Verified

What if…

Basic Constraints

Then the story started

SSLSNIFF

Running SSLSNIFF

Setting up IPTABLES

Running Arpspoof

SSLSTRIP

How SSL connection is initiated:

SSLSTRIP

How does it look like?

With SSLSTRIP

Running SSLSTRIP

Combining this technique with homograph attack

Certificates

Certificate Enrollment Request PKCS#10

Certificate (Subjects)

CN Encoding

PKCS #10 SUBJECT

PKCS #10 Certificate Signing Request

Disadvantages

Universal Wildcard

More Weird Stuff

What do we have to worry about?

Certificate Revocation

Defeating OCSP

OCSP-Aware SSLSNIFF

Updates

Update-Aware SSLSNIFF

Snort

What is Snort?

Snort Architecture

Packet Sniffing

Preprocessors

Detection Engine

Alerting Components

Three major modes

Using Snort as Packet Sniffer

Packet Sniffing

Snort as Packet Logger

Snort as NIDS

Snort Rule Tree

Decoding Ethernet Packet

Preprocessor Layout

Parts of a Rule

Outputs

· IDS/IPS Evasion

Evasion

Networking Standards

Evasion Principles

Evasion Layers

Layer 2

Layer 3-4

Fragmentation

Fragmentation Attacks – Ping O' Death

More Malicious Fragments

Fragmentation-Based Techniques

Sending Overlapping Fragments

Different Reassembly Timeout

Sending Fragment with Different TTLs

Insertion Attacks

Protocol Violation

Layer 5-7

Layer 5-7

SMB Evasions

SMB based vulnerabilities

How can IDS control SMB sessions?

DCERPC Evasions

How DCERPC works:

DCERPC Bind Evasions

DCERPC Call Evasions

DCERPC Transport Evasions

Obfuscation

Client Side Attack Evasions

Unicode

UTF-8 Overlong Strings

Javascript Evasions

Base64 your HTML

Encryption

DoS Attacks

Failure Points

Alert Management

Hardware Limitations

Session Tracking

Pattern Matching

Signature Matching

Lab Outline

· Working with Captured Files

Sniffing with Wireshark

HTTP Protocol Analysi

SMB Protocol Analysis

SIP/RTR Protocol Analysis

DNS Protocol Analysis

· Layer 2 Attacks

MAC SPoofing

ARP Wireshark Network Sniffing

Analyzing the capture of Macof

Manipulating STP algorithm

· Layer 3 Attacks

Exploring Layer 3 with Loki tool on Kali

Cracking the BGP authentication key with Loki dictionary attack

OSPF Authentication

Attacking the default gateway redundancy protocol

· Pivoting and Relays

Pivoting with Metasploit

Pivoting with SSH

· IPv6 Attacks

Man-in-the-Middle attacks using THC-IPv6 Parasite6

Flooding the Network

IPv6 SLACC Attacks

· VPN Attacks

Cracking IKE PSK

Enumerate VPN IPsec with iker.py

· Defeating SSL

Decrypting SSL

Use SSLSTRIP for SSL MITM

· IDS/IPS Evasion

· Use Snort as Packet Sniffer

· Use Snort as Packet Logger

· Check Snort's IDS abilities with pre-captured attack pattern files