EC-Council Certified Security Analyst

  • Need for Security Analysis

    • Computer Security Concerns
      • Protect Information
      • Security Concerns Due to Intrusions
      • Greatest Challenges of Security
      • Environmental Complexity
      • New  Technologies
      • New Threats and Exploits
      • Limited Focus
      • Limited Expertise
      • Threat Agents
      • Information Security Measures
        • Data Security Measures
        • Authentication
        • Authorization
        • Confidentiality
        • Integrity
        • Availability
        • Non-Repudiation
      • Risk Analysis
        • Assessment Questions
        • Security Limit
        • Risk
        • Simplifying Risk
        • Risk Analysis
        • Risk Assessment Answers Seven Questions
        • Steps of Risk Assessment
        • Risk Assessment Values
      • Hardening Security
        • No Simple Solutions
        • We Must be Diligent
        • Information Security Awareness
      • Security Policies
        • Security Policies
        • Security Policy Basics
        • Policy Statements
        • Types of Security Policies
        • Promiscuous Policy
        • Permissive Policy
        • Prudent Policy
        • Paranoid Policy
      • Sample Policies
        • Acceptable-Use Policy
        • Remote-Access Policy
        • Wireless Security Policy
        • Email Security Policy
        • Email and Internet Usage Policies
        • Personal Computer Acceptable Use Policy
        • Firewall-Management Policy
        • Internet Acceptable Use Policy
        • User Identification and Password Policy
        • Software License Policy
        • User-Account Policy
        • Information-Protection Policy
        • Special-Access Policy
        • Network-Connection Policy
        • Business-Partner Policy
        • Data Classification Policy
        • Intrusion Detection Policy
        • Virus Prevention Policy
        • Laptop Security Policy
        • Personal Security Policy
        • Cryptography Policy
        • Fair and Accurate Credit Transactions Act of 2003 (FACTA)
        • FACTA Policy
        • Other Important Policies
      • Information Security Standards
        • ISO 17799
        • Domains of ISO 17799
        • ISO/IEC 27001
        • COBIT
      • Information Security Acts and Laws
        • U.S. Legislation
        • California SB 1386
        • Sarbanes-Oxley 2002
        • Gramm-Leach-Bliley Act (GLBA)
        • Health Insurance Portability and Accountability Act (HIPAA)
        • USA Patriot Act 2001
        • U.K. Legislation
        • Affect of Law on Security Officer
        • The Data Protection Act 1998
        • The Human Rights Act 1998
        • Interception of Communications
        • The Freedom of Information Act 2000
        • The Audit Investigation and Community Enterprise Act 2005

  • TCP/IP Packet Analysis

    • Introduction to TCP/IP
        • TCP/IP Model
        • Comparing OSI and TCP/IP
        • Port Numbers
        • Internet Assigned Numbers Authority (IANA)
        • IP Header
        • IP Header: Protocol Field
        • TCP
        • TCP Header
      • TCP/IP Connection
        • Source and Destination Port Connection
        • What Makes Each Connection Unique
        • TCP/UDP Connection State Checking Using netstat
        • TCP Operation
        • Three-Way Handshake
        • Flow Control
        • Flow Control Mechanism: Synchronization
        • Flow Control Mechanism: Sequencing Numbers
        • Flow Control Mechanism: Positive Acknowledgment with Retransmission (PAR)
        • Flow Control Mechanism: Windowing
        • Windowing
        • Sliding Windows
        • Sliding Window Example
        • TCP Services
        • User Datagram Protocol (UDP)
        • UDP Operation
      • Introduction to IPv6
        • What Is Internet Protocol v6 (IPv6)?
        • IPv6 Header
        • IPv4/IPv6 Transition Mechanisms
        • IPv6 Security Issues
        • IPv6 Infrastructure Security Issues
        • IPv6 Address Notation
        • IPv6 Address Prefix
        • IPv6 Address Lifetime
        • IPv6 Address Structure
        • Address Allocation Structure
        • Hierarchical Routing
        • Types of IPv6 Addresses
        • IPv4-compatible IPv6 Address
        • IPv4 vs. IPv6
      • TCP/IP Security
        • IPsec
        • DNSSEC
        • DNSSEC Features
        • DNSSEC Working
        • Managing DNSSEC for Your Domain Name
        • What Is a DS Record?
        • How Does DNSSEC Protect Internet Users?
        • Operation of DNSSEC
        • Firewalls and Packet Filtering
        • Denial-of-Service (DoS) Attacks
        • DoS SYN Flooding Attack
      • Internet Control Message Protocol (ICMP)
        • Internet Control Message Protocol (ICMP)
        • Error Reporting and Correction
        • ICMP Message Delivery
        • Format of an ICMP Message
        • Unreachable Networks
        • Destination Unreachable Message
        • ICMP Echo (Request) and Echo Reply
        • Time Exceeded Message
        • IP Parameter Problem
        • ICMP Control Messages
        • ICMP Redirects
        • Clock Synchronization and Transit Time Estimation
        • Information Requests and Reply Message Formats
        • Address Masks
        • Router Solicitation and Advertisement
      • TCP/IP in Mobile Communications
        • TCP/IP Concepts in Mobile Technology
        • TCP Options That Can Help Improve Performance

  • Penetration Testing Methodologies

    • Introduction to Penetration Testing
        • What Is Penetration Testing?
        • Why Penetration Testing?
        • Penetration Test vs. Vulnerability Test
        • What Should Be Tested?
        • What Makes a Good Penetration Test?
        • Constraints of Penetration Testing
      • Types of Penetration Testing
        • Scope of Penetration Testing
        • Blue Teaming/Red Teaming
        • Types of Penetration Testing
        • Black-box Penetration Testing
        • White-box Penetration Testing
        • Grey-box Penetration Testing
        • Penetration Testing Strategies: External Penetration Testing
        • Penetration Testing Strategies: Internal Security Assessment
      • Phases of Penetration Testing
        • Penetration Testing Process
        • Phases of Penetration Testing
        • Pre-Attack Phase
        • Pre-Attack Phase: Passive Reconnaissance
        • Pre-Attack Phase: Active Reconnaissance
        • Attack Phase
        • Attack Phase Activities
        • Activity: Perimeter Testing
        • Activity: Web Application Testing - I
        • Activity: Web Application Testing - II
        • Activity: Web Application Testing - III
        • Activity: Wireless Testing
        • Activity: Application Security Assessment
        • Types of Application Security Assessment
        • Activity: Network Security Assessment
        • Activity: Wireless/Remote Access Assessment
        • Activity: Database Penetration Testing
        • Activity: File Integrity Checking
        • Log Management Penetration Testing
        • Telephony Security Assessment
        • Data Leakage Penetration Testing
        • Social Engineering
        • Post-Attack           

        • Penetration Testing Methodology
          • Need for a Methodology
          • Penetration Testing Methodology
          • Reliance on Checklists and Templates
        • Pen Test Strategies
          • Operational Strategies for Security Testing
          • Categorization of the Information System Security
          • Identifying Benefits of Each Test Type
          • Prioritizing the Systems for Testing
          • ROI for Penetration Testing
          • Determining Cost of Each Test Type
          • Penetration Testing Best Practices
          • Guidelines for Security Checking
      • Penetration Testing Consultants
        • Penetration Testing Consultants
        • Required Skills Sets of a Penetration Tester
        • Hiring a Penetration Tester
        • Responsibilities of Penetration Tester
        • Profile of a Good Penetration Tester
        • Why Should the Company Hire You?
        • Companies’ Concerns
        • Sample Job and Salary Range for Penetration Testers
        • Penetration Tester Salary Trend
      • Ethics of a Licensed Penetration Tester
        • What Makes a Licensed Penetration Tester
        • Modus Operandi
        • Preparation
        • Ethics of a Penetration Tester
        • Evolving as a Licensed Penetration Tester
        • Dress Code
          • Example: Licensed Penetration Tester Dress Code
      • Communication Skills of a Penetration Tester
      • LPT Audited Logos
        • Example: LPT Audited Logos

  • Customers and Legal Agreements

    • Why Do Organizations Need Pen Testing?

      • Why Do Organizations Need Pen Testing?
      • Initial Stages in Penetration Testing
      • Understand Customer Requirements
      • Create a Checklist of the Testing Requirements
    • Penetration Testing ‘Rules of Behavior’
      • Penetration Testing ‘Rules of Behavior’
      • Penetration Testing Risks
      • Penetration Testing by Third Parties
      • Precautions While Outsourcing Penetration Testing
    • Legal Issues in Penetration Testing
      • Legal Issues in Penetration Testing
      • Get Out of Jail Free Card
      • Permitted Items in Legal Agreement
      • Confidentiality and Non-Disclosure Agreements (NDAs)
      Penetration Testing Contract
      • Penetration Testing Contract
      • Drafting Contracts
      • XSECURITY: Sample Penetration Testing Contract
      • Sample Penetration Testing Contract
      • XSECURITY: Sample Rules of Engagement Document
      • Liability Issues
      • Negligence Claim
      • Limitations of the Contract
      • Plan for the Worst
    • How Much to Charge?
      • How Much to Charge?
      • How to Reduce the Cost of Penetration Testing

  • Rules of Engagement

    • Rules of Engagement (ROE)
      • Statement of  Work (SOW)
      • Rules of Engagement (ROE)
      • Scope of ROE
      • Points of Contact Template
      Steps for Framing ROE
      • Steps for Framing ROE
      • Review Engagement Letter
    • Clauses in ROE
      • Clauses in ROE
      • Rules of Engagement Template (Sample)

  • Penetration Testing Planning and Scheduling

    • Test Plan and Its Purpose
    • Content of a Test Plan
    • Building a Penetration Test Plan
    • Test Plan Identifier
    • Test Deliverables
    • Penetration Testing Planning Phase Define the Pen Testing Scope
      • Project Scope: Components to Be Tested
      • Project Scope: When to Retest?
      • Project Scope: Responsibilities
      • Staffing
        • Skills and Knowledge Required
        • Internal Employees
        • Penetration Testing Teams
        • Tiger Team
        • Questions to Ask Before Hiring Consultants for the Tiger Team
      • Kickoff Meeting
        • Meeting with the Client
        • Kickoff Meeting
      • Develop the Project Plan
        • Contents of a Pen Testing Project Plan
        • Project Plan Overview
        • Work Breakdown Structure or Task List
        • Penetration Testing Schedule
        • Penetration Testing Project Scheduling Tools: Project Professional 2013
        • Penetration Testing Project Scheduling Tools
        • XSECURITY: Test Plan Checklist
        • XSECURITY: Test Plan Checklist
        • Penetration Testing Hardware/Software Requirements
      •  

  • Pre-penetration Testing Steps

    • Pre-penetration Testing Steps
      • Step 1: List the Client Organization’s Penetration Testing Requirements of the Test 1 (a)
      • Step 1: List the Client Organization’s Penetration Testing Purpose for the Test 1 (b)
      • Step 2: Obtain Penetration Testing Permission from the Company’s Stakeholders
      • Step 3: Obtain Special Permission if Required from the Local Law Enforcement Agency
      • Step 4: Obtain the Detailed Proposal of Tests and Services That Are to Be Carried Out
      • Step 5: List the Tests That Will Not Be Carried Out at the Client’s Network
      • Step 6: Identify the Type of Testing That Would Be Carried Out: Black-box or White-box Testing
      • Step 7: Identify the Type of Testing That Would Be Carried Out: Announced/Unannounced
      • Step 8: List the Servers, Workstations, Desktops, and Network Devices That Need to Be Tested
      • Step 9: Request Previous Penetration Testing/Vulnerability Assessment Reports (If Possible)
      • Step 10: Prepare the Rules of Engagement That Lists the Company’s Core Competencies/Limitations/Time Scales
      • Step 11: Hire a Lawyer Who Can Handle Your Penetration Testing Legal Documents
      • Step12: Prepare the Penetration Testing Legal Document and Get It Vetted with Your Lawyer
      • Step 13: Prepare a Non-Disclosure Agreement (NDA) and Have the Client Sign It
      • Step 14: Obtain (if Possible) Liability Insurance from a Local Insurance Firm
      • Step 15: Identify Your Core Competencies/Limitations
      • Step: 16 Allocate a Budget for the Penetration Testing Project (X Amount of Dollars)
      • Step 17: Identify the List of Penetration Testers Required for This Project
      • Step 18: Identify Who Will Be Leading the Penetration Testing Project (Chief Penetration Tester)
      • Step 19: Prepare a Tiger Team
      • Step 20: Obtain Temporary Identification Cards from the Client for the Team Members Involved in the Process
      • Step 21: Identify the Office Space/Location Your Team Would Be Working on for This Project
      • Step 22: Gather Information about the Client Organization’s History and Background
      • Step 23: Visit the Client Organization’s Premises and Become Familiar with the Surroundings
      • Step 24: Identify the Network Topology in Which the Test Would Be Carried Out
      • Step 25: List the Security Tools That You Will Be Using for the Penetration Testing Project
      • Step 26: List the Hardware and Software Requirements for the Penetration Testing Project
      • Step 27: Identify the Local Equipment Required for Pen Test
      • Step 28: Identify the Local Manpower Required for Pen Test
      • Step 29: Identify the Client’s IT Security Admin Who Will Be Helping You in the Pen Testing ( if Possible)
      • Step 30: List the Contacts at the Client Organization Who Will Be in Charge of the Pen Testing Project
      • Step 31: Obtain the Contact Details of the Key Person at the Client’s Company During an Emergency
      • Step 32: List the Points of Contact During an Emergency
      • Step 33: List the Known Waivers/Exemptions
      • Step 34: List the Contractual Constraints in the Penetration Testing Agreement
      • Step 35: Identify the Reporting Time Scales with the Client’s Organization
      • Step 36: Negotiate Per Day/Per Hour Fee That You Will Be Charging for the Penetration Testing Project
      • Step 37: Draft the Timeline for the Penetration Testing Project
      • Step 38: Draft a Quotation for the Services That You Will Be Providing to the Client’s Origination
      • Step 39: Identify How the Final Penetration Testing Report Will Be Delivered to the Client’s Organization
      • Step 40: Identify the Reports to Be Delivered After Pen Test

  • Information Gathering

    • What Is Information Gathering?
    • Information Gathering  Terminologies
    • Information Gathering Steps
      • Step 1: Find the Company’s URL
      • Step 2: Locate Internal URLs
      • Step 3: Identify a Company’s Private and Public Websites
      • Step 4: Search for Company’s Information
        • Tools to Extract Company’s Data
      • Step 5: List the Contact Information, Email Addresses, and Telephone Numbers
        • Search Telephone Numbers Using http://www.thephonebook.bt.com
        Step 6: List Employees of the Company and Personal Email Addresses
      • Step 7: Investigate Key Persons – Searching in Google, Look Up Their Resumes and Cross Link Information
      • Step 8: Search the Internet, Newsgroups, Bulletin Boards, and Negative Websites for Information about the Company
      • Step 9: Find the Geographical Location of a Company
        • Geographical Location Search Using Google Earth
        Step 10: Use People Search Online Services to Collect the Information
        • Search People Using http://pipl.com
        • Search People Using http://www.intelius.com
        • Search People on Online Services
        • People Search Online Services

      • Step 11: Browse Social Network Websites to Find the Information about the Company
        • Search People on Social Networking Services
      • Step 12: Use Google/ Yahoo! Finance to Search for Press Releases Issued by the Company
      • Step 13: Search for Link Popularity of the Company’s Website
        • Search Link Popularity on Alexa
        • Search Link Popularity on SeoCentro
        • Search Link Popularity on Link Appeal
        • Link Popularity Search Online Services
      • Step 14: Search for Company’s Job Postings through Job Sites
      • Step 15: Monitor Target Using Google Alerts
      • Step 16: Gather Competitive Intelligence
        • Competitive Intelligence - When Did This Company Begin?  How Did It Develop?
        • Competitive Intelligence - What Are the Company's Plans?
        • Competitive Intelligence - What Does Expert Opinion Say About the Company?
        • Competitive Intelligence: Use the EDGAR Database to Research Company Information
        • Competitive Intelligence: Search Company Business Reports and Profiles at Hoovers
        • Competitive Intelligence Tools
        • Competitive Intelligence Consulting Companies

      • Step 17: Search for Trade Association Directories
      • Step 18: List the Products Sold by the Company
        • Search on Ebay for the Company’s Presence
        Step 19: List the Company’s Partners and Distributors
      • Step 20: Compare Price of Product or Service with Competitor
        • Price Comparison Services
      • Step 21: Search for Web Pages Posting Patterns and Revision Numbers
      • Step 22: Visit the Company as Inquirer and Extract Privileged Information
      • Step 23: Visit the Company Locality
      • Step 24: Email the Employee Disguised as Customer Asking for Quotation
      • Step 25: Use Web Investigation Tools to Extract Sensitive Data Targeting the Company
      • Step 26: Look Up Registered Information in WhoIs Database
        • WhoIs Lookup Result
        • WhoIs Lookup Tools
        • WhoIs Lookup Tools: SmartWhois
      • Step 27: Extract DNS Information using Domain Research Tools
        • DNS Interrogation Tools
        • Domain Research Tool (DRT)
        • DNS Interrogation Tools
      • Step 28: Search Similar or Parallel Domain Name Listings
      • Step 29: Retrieve the DNS Record of the Organization from Publicly Available Servers
        • DNS Interrogation Online Tools
      • Step 30: Locate the Network Range
        • Traceroute Analysis
        • Traceroute Tool: VisualRoute 2010
        • Traceroute Tool: Path Analyzer Pro
        • Traceroute Tools
      • Step 31: Search the Internet Archive Pages about the Company
      • Step 32: Monitor Web Updates Using Website Watcher
      • Step 33: Crawl the Website and Mirror the Pages on Your PC
        • Website Mirroring Tools
      • Step 34: Crawl the FTP Site and Mirror the Pages on Your PC
        • FTP Site Mirroring Tool: WebCopier Pro
      • Step 35: Track Email Communications
        • Email Tracking Tools
      • Step 36: Use GHDB and Search for the Company’s Internal Resources
        • GHDB Screenshot

  • Vulnerability Analysis

    • What Is Vulnerability Assessment?
    • Why Assessment
    • Vulnerability Classification
    • Types of  Vulnerability Assessment
    • How to Conduct a Vulnerability Assessment
    • How to Obtain a High Quality Vulnerability Assessment
    • Vulnerability Assessment Phases
      • Pre-Assessment Phase
      • Assessment Phase
      • Post-Assessment Phase
    • Vulnerability Analysis Stages
    • Comparing Approaches to Vulnerability Assessment
      • Product-based Solutions
      • Service-based Solutions
      • Tree-based Assessment
      • Inference-based Assessment
    • Characteristics of a Good Vulnerability Assessment Solution
    • Vulnerability Assessment Considerations
    • Vulnerability Assessment Reports
      • Sample Vulnerability Assessment Report
    • Vulnerability Report Model
    • Timeline
    • Types of  Vulnerability Assessment Tools
      • Host-based Vulnerability Assessment Tools
      • Application-layer Vulnerability Assessment Tools
      • Depth Assessment Tools
      • Scope Assessment Tools
      • Active/Passive Tools
      • Location/Data Examined Tools
    • Choosing a Vulnerability Assessment Tool
    • Criteria for Choosing a Vulnerability Assessment Tool
    • Best Practices for Vulnerability Assessment Tools
    • Vulnerability Assessment Tools
      • QualysGuard Vulnerability Management
      • Retina Network Security Scanner
      • GFI LANGuard
      • SAINT Vulnerability Scanner
      • Microsoft Baseline Security Analyzer (MBSA)
      • Nessus
    • Report
      • Vulnerability Assessment Reports
      • Security Vulnerability Report
      • Security Vulnerability Summary
      • AVDS - Automated Vulnerability Detection System
      • Automated Scanning Server Reports

    • Vulnerability Analysis Chart

  • External Penetration Testing

    • External Intrusion Test and Analysis
    • Why Is It Done?
    • Client Benefits
    • External Penetration Testing
    • Steps for Conducting External Penetration Testing

      • Step 1: Inventory Company’s External Infrastructure
      • Step 2: Create Topological Map of the Network
      • Step 3: Identify the IP Address
      • Step 4: Locate the Traffic Route that Goes to the Web Servers
        • Traceroute Example
      • Step 5/6: Locate TCP/UDP Traffic Path to the Destination
        • Traffic Sniffing and Analysis Tool: Tstat
      • Step 7: Identify the Physical Location of the Target Servers
      • Step 8: Examine the Use of IPv6 at the Remote Location
      • Step 9: Look Up Domain Registry for IP Information
        • DNS Interrogation Tools
      • Step 10: Find IP Block Information about the Target
        • WHOIS Lookup Tools
      • Step 11: Locate the ISP Servicing the Client
      • Step 12: Port Scan Every Port (65,536) on the Target’s Network
        • Common Ports List
      • Step 13: List Open Ports
        • Scanning Tool: NetScan Tools Pro
      • Step 14: List Closed Ports
        • Scanning Tools
      • Step 15: List Suspicious Ports That Are Half Open/Closed
      • Step 16: Use SYN Scan on the Target and See the Response
      • Step 17: Use Connect Scan on the Target and See the Response
      • Step 18: Use XMAS Scan on the Target and See the Response
      • Step 19: Use FIN Scan on the Target and See the Response
      • Step 20: Use NULL Scan on the Target and See the Response
      • Step 21: Use Fragmentation Scanning and Examine the Response
      • Step 22: Firewalk on the Router’s Gateway and Guess the Access List
      • Step 23: Examine TCP Sequence Number Prediction
      • Step 24: Examine the Use of Standard and Non-Standard Protocols
      • Step 25: Examine IPID Sequence Number Prediction
        • Hping2 IPID Example
      • Step 26: Examine the System Uptime of Target Server
      • Step 27: Examine Operating System Used for Different Targets
      • Step 28: Examine the Patches Applied to the Operating System
      • Step 29: Locate DNS Record of the Domain and Attempt DNS Hijacking
      • Step 30: Download Applications from the Company’s Website and Reverse Engineer the Binary Code
      • Step 31: List Programming Languages Used and Application Software to Create Various Programs from the Target Server
      • Step 32: Look for Error and Custom Web Pages
      • Step 33: Guess Different Subdomain Names and Analyze Responses
      • Step 34: Examine the Session Variables
      • Step 35: Examine Cookies Generated by the Server
      • Step 36: Examine the Access Controls Used by the Web Application
      • Step 37: Brute Force URL Injections and Session Tokens
      • Step 38: Check for Directory Consistency and Page Naming Syntax of the Web Pages
      • Step 39: Look for Sensitive Information in Web Page Source Code
      • Step 40: Attempt URL Encodings on the Web Pages
      • Step 41: Try Buffer Overflow Attempts in Input Fields
        • Look for Invalid Ranges in Input Fields
        • Attempt Escape Character Injection
      • Step 42: Try Cross Site Scripting (XSS) Techniques
      • Step 43: Record and Replay the Traffic to the Target Web Server and Note the Response
      • Step 44: Try Various SQL Injection Techniques
      • Step 45: Examine Hidden Fields
        • Examine Server Side Includes (SSI)
      • Step 46: Examine E-commerce and Payment Gateways Handled by the Web Server
      • Step 47: Examine Welcome Messages, Error Messages, and Debug Messages
      • Step 48: Probe the Service by SMTP Mail Bouncing
      • Step 49: Grab the Banner of HTTP Servers
      • Step 50: Grab the Banner of SMTP Servers
      • Step 51: Grab the Banner of POP3 Servers
      • Step 52: Grab the Banner of FTP Servers
      • Step 53: Identify the Web Extensions Used at the Server
      • Step 54: Try to Use HTTPS Tunnel to Encapsulate Traffic
      • Step 55: OS Fingerprint Target Servers
      • Step 56: Check for ICMP Responses
      • Step 57: Check for ICMP Responses from Broadcast Address
      • Step 58: Port Scan DNS Servers (TCP/UDP 53)
      • Step 59: Port Scan TFTP Servers (Port 69)
      • Step 60: Test for NTP Ports (Port 123)
      • Step 61: Test for SNMP Ports (Port 161)
      • Step 62: Test for Telnet Ports (Port 23)
      • Step 63: Test for LDAP Ports (Port 389)
      • Step 64: Test for NetBIOS Ports (Ports 135-139, 445)
      • Step 65: Test for SQL Server Ports (Port 1433, 1434)
      • Step 66: Test for Citrix Ports (Port 1495)
      • Step 67: Test for Oracle Ports (Port 1521)
      • Step 68: Test for NFS Ports (Port 2049)
      • Step 69: Test for Compaq, HP Inside Manager Ports (Port 2301, 2381)
      • Step 70: Test for Remote Desktop Ports (Port 3389)
      • Step 71: Test for Sybase Ports (Port 5000)
      • Step 72: Test for SIP Ports (Port 5060)
      • Step 73: Test for VNC Ports (Port 5900/5800)
      • Step 74: Test for X11 Ports (Port 6000)
      • Step 75: Test for Jet Direct Ports (Port 9100)
      • Step 76: Port Scan FTP Data (Port 20)
      • Step 77: Port Scan Web Servers (Port 80)
      • Step 78: Port Scan SSL Servers (Port 443)
      • Step 79: Port Scan Kerberos-Active Directory (Port TCP/UDP 88)
      • Step 80: Port Scan SSH Servers (Port 22)

    • Recommendations to Protect Your System from External Threats

  • Internal Network Penetration Testing

    • Internal Testing
    • Steps for Internal Network Penetration Testing
      • Step 1: Map the Internal Network
      • Step 2: Scan the Network for Live Hosts
      • Step 3: Port Scan the Individual Machines
      • Step 4: Try to Gain Access Using Known Vulnerabilities
      • Step 5: Attempt to Establish Null Sessions
      • Step 6: Enumerate Users
      • Step 7: Sniff the Network Using Wireshark
      • Step 8: Sniff POP3/FTP/Telnet Passwords
      • Step 9: Sniff Email Messages/ VoIP Traffic
      • Sniffer Tools
      • Step 10: Attempt Replay Attacks
      • Step 11: Attempt ARP Poisoning
      • Step 12: Attempt Mac Flooding
      • Step 13: Conduct a Man-in-the Middle Attack
      • Step 14: Attempt DNS Poisoning
      • Example of a Normal Host File Under DNS Poisoning Attack
      • Step 15: Try to Log into a Console Machine
      • Step 16: Boot the PC Using Alternate OS and Steal the SAM File
      • Copying Commands in Knoppix
      • Microsoft Diagnostics and Recovery Toolset (DART)
      • Reset the Administrator’s Password
      • Step 17: Attempt to Plant a Software Keylogger to Steal Passwords
      • Keyloggers and Spy Softwares
      • Step 18: Attempt to Plant a Hardware Keylogger to Steal Passwords
      • Step 19: Attempt to Plant Spyware on the Target Machine
      • Step 20: Attempt to Plant a Trojan on the Target Machine
      • Step 21: Attempt to Create a Backdoor Account on the Target Machine
      • Step 22: Attempt to Bypass Antivirus Software Installed on the Target Machine
      • Step 23: Attempt to Send a Virus Using the Target Machine
      • Step 24: Attempt to Plant Rootkits on the Target Machine
      • Step 25: Hide Sensitive Data on Target Machines
      • WinMend Folder Hidden
      • Step 26: Hide Hacking Tools and Other Data on Target Machines
      • Step 27: Use Various Steganography Techniques to Hide Files on Target Machines
      • Whitespace Steganography Tool: SNOW
      • Step 28: Escalate User Privileges
      • Step 29: Run Wireshark with The Filter ip.src==[ip_address]
      • Step 30: Run Wireshark with The Filter ip.dst==[ip_address]
      • Step 31: Run Wireshark with Protocol-based Filters
      • Step 32: Run Wireshark with The Filter  tcp.port==[port_no]
      • Step 33: Capture POP3 Traffic
      • Step 34: Capture SMTP Traffic
      • Step 35: Capture IMAP Email Traffic
      • Step 36: Capture the Communications between FTP Client and FTP Server
      • Step 37: Capture HTTP Traffic
      • Step 38: Capture HTTPS Traffic (Even Though It Cannot Be Decoded)
      • Step 39: Capture RDP Traffic
      • Step 40: Capture VoIP Traffic
      • Step 41: Spoof the MAC address
      • Step 42: Poison the Victim’s IE Proxy Server
      • Step 43: Attempt Session Hijacking on Telnet Traffic
      • Step 44: Attempt Session Hijacking on FTP Traffic
      • Step 45: Attempt Session Hijacking on HTTP Traffic
      • Automated Internal Network Penetration Testing Tool: Metasploit
      • Automated Internal Network Penetration Testing Tool: CANVAS
      • Vulnerability Scanning Tools
    • Recommendations for Internal Network Penetration Testing+

  • Firewall Penetration Testing

    • What Is a Firewall?
    • What Does a Firewall Do?
    • Packet Filtering
    • What Can’t a Firewall Do?
    • How Does a Firewall Work?
    • Firewall Logging Functionality
    • Firewall Policy
    • Periodic Review of Information Security Policies
    • Firewall Implementation
    • Build a Firewall Ruleset
    • Maintenance and Management of Firewall
    • Hardware Firewall
    • Software Firewall
    • Types of Firewalls
      • Packet Filtering Firewall
      • IP Packet Filtering Firewall
      • Circuit Level Gateway
      • TCP Packet Filtering Firewall
      • Application Level Firewall
      • Application Packet Filtering Firewall
      • Stateful Multilayer Inspection Firewall
      • Multilayer Inspection Firewall
    • Firewall Penetration Testing Tool: Firewall Test Agent
    • Firewall Penetration Testing Tools
    • Firewall Ruleset Mapping
    • Best Practices for Firewall Configuration
    • Steps for Conducting Firewall Penetration Testing
      • Step 1: Locate the Firewall
      • Step 2: Traceroute to Identify the Network Range
      • Step 3: Port Scan the Firewall
      • Step 4: Grab the Banner
      • Step 5: Create Custom Packets and Look for Firewall Responses
      • Step 6: Test Access Control Enumeration
      • Step 7: Test to Identify the Firewall Architecture
      • Step 8: Testing Firewall Policy
      • Step 9: Test the Firewall Using a Firewalking Tool
      • Step 10: Test for Port Redirection
        • Firewall Identification
      • Step 11: Testing the Firewall from Both Sides
      • Step 12: Overt Firewall Test from Outside
      • Step 13: Test Covert Channels
      • Step 14: Covert Firewall Test from Outside
      • Step 15: Try to Bypass Firewall Using IP Address Spoofing
      • Step 16: Try to Bypass Firewall Using Tiny Fragments
      • Step 17: Try to Bypass Firewall Using IP Address in Place of URL
      • Step 18: Try to Bypass Firewall Using Anonymous Website Surfing Sites
      • Step 19: Try to Bypass Firewall Using Proxy Server
      • Step 20: Test HTTP Tunneling Method
      • Step 21: Test ICMP Tunneling Method
      • Step 22: Test ACK Tunneling Method
      • Step 23: Try to Bypass Firewall through MITM Attack
      • Step 24: Test Firewall-Specific Vulnerabilities
    • Document Everything

  • IDS Penetration Testing

    • Introduction to IDS
    • Application-based IDS
    • Multi-Layer Intrusion Detection Systems
    • Multi-Layer Intrusion Detection System Benefits
    • Wireless Intrusion Detection Systems (WIDSs)
    • Common Techniques Used to Evade IDS Systems
    • IDS Penetration Testing Steps
      • Step 1: Test for Resource Exhaustion
      • Step 2: Test the IDS by Sending ARP Flood
      • Step 3: Test the IDS by MAC Spoofing
      • Step 4: Test the IDS by IP Spoofing
      • Step 5: Test the Insertion on IDS
      • Step 6: Test by Sending a Packet to the Broadcast Address
      • Step 7: Test by Sending Inconsistent Packets
      • Step 8: Test IP Packet Fragmentation
        • Packet Fragmentation
      • Step 9: Test for Overlapping
      • Step 10: Test for Ping of Death
      • Step 11: Test for TTL Evasion
      • Step 12: Test by Sending a Packet to Port 0
      • Step 13: Test for UDP Checksum
      • Step 14: Test for TCP Retransmissions
      • Step 15: Test the IDS by TCP Flag Manipulation
        • TCP Flags
      • Step 16: Test the IDS by Sending SYN Floods
      • Step 17: Test Initial Sequence Number Prediction
      • Step 18: Test for Backscatter
      • Step 19: Check for False Positive Generation
      • Step 20: Test the IDS Using Covert Channels
      • Step 21: Test Using TCPReplay
      • Step 22: Test the IDS Using TCPopera
      • Step 23: Test the IDS Using Method Matching
      • Step 24: Test the IDS Using URL Encoding
      • Step 25: Test the IDS Using Double Slashes
      • Step 26: Test the IDS for Reverse Traversal
      • Step 27: Test for Self-Referencing Directories
      • Step 28: Test for Premature Request Ending
      • Step 29: Test for IDS Parameter Hiding
      • Step 30: Test for HTTP Misformatting
      • Step 31: Test for Long URLs
      • Step 32: Test for Win Directory Syntax
      • Step 33: Test for Null Method Processing
      • Step 34: Test for Case Sensitivity
      • Step 35: Test Session Splicing
      • Step 36: Try to Bypass Invalid RST Packets through IDS

        • Automated IDS Auditing Tool: Traffic IQ Professional
        • Intrusion Detection Tool: Snort
        • Intrusion Detection Tools
    • Recommendations for IDS Penetration Testing

  • Password Cracking Penetration Testing

    • Password - Terminology
    • Importance of Passwords
    • Password Types
      • Cleartext Passwords
      • Obfuscated Passwords
      • Hashed Passwords
    • Common Password Vulnerabilities
      • Organizational Password Vulnerabilities
      • Technical Password Vulnerabilities
    • Password Cracking Techniques
      • Dictionary Attacks
      • Brute Forcing Attacks
      • Hybrid Attack
      • Syllable Attack
      • Rule-based Attack
    • Types of Password Attacks
    • How Are Passwords Stored in Windows?
    • LM Authentication
    • NTLM Authentication
    • Kerberos Authentication
    • LM, NTLMv1, and NTLMv2
    • How Are Passwords Stored in Linux?
    • Steps for Password Cracking Penetration Testing
      • Step 1: Identify the Target Person’s Personal Profile
        • People Search Using http://pipl.com
        • People Search on Online Services
        • People Search on Social Networking Services
        • People Search on Job Sites
      • Step 2: Perform Non-Electronic Attacks
      • Step 3: Build a Dictionary of  Word Lists
        • Dictionary Maker Tool: Word List Compiler
      • Step 4: Attempt to Guess Passwords
      • Step 5: Perform Brute-Force and Dictionary Attacks
        • Password Cracking Tool: Cain & Abel
      • Step 6: Perform Wire Sniffing to Capture Passwords
        • Packet Sniffing Tool: Wireshark
        • Packet Sniffing Tool: NetworkMiner
        • Packet Sniffing Tools
      • Step 7: Perform Man-in-the-Middle Attack to Collect Passwords
        • Man-in-the-Middle Attack Using Ettercap
      • Step 8: Perform Replay Attack to Collect Passwords
        • Network Analyzer: Tcpdump/WinDump
      • Step 9: Extract SAM File in Windows Machines
        • Tool: SAMInside
      • Step 10: Perform Hash Injection (Pass-the-Hash) Attack
      • Step 11: Perform Rainbow Attack (Perform Password Attack Using Pre-Computed Hashes)
      • Step 12: Extract Cleartext Passwords from an Encrypted LM Hash
      • Step 13: Perform Password Cracking Using Distributed Network Attack
        • Elcomsoft Distributed Password Recovery
      • Step 14: Extract/etc/passwd and /etc/shadow Files in Linux Systems
      • Step 15: Use Automated Passwords Crackers to Break Password-protected Files
        • Password Cracking Tools
      • Step 16: Use Trojan/Spyware/Keyloggers to Capture Passwords
        • Spyware Tools
        • Keyloggers

  • Social Engineering Penetration Testing

    • What Is Social Engineering?
    • Social Engineering Pen Testing
    • Impact of Social Engineering on the Organization
    • Common Targets of Social Engineering
    • Requirements of Social Engineering
    • Steps in Conducting Social Engineering Penetration Test
      • Step 1: Attempt Social Engineering Using the Phone
        • Technical Support Example
        • Authority Support Example
      • Step 2: Attempt Social Engineering by  Vishing
      • Step 3: Attempt Social Engineering Using Email
        • Email Spoof: Example
      • Step 4: Attempt Social Engineering by Using Traditional Mail
        • Example 1
        • Example 2
      • Step 5: Attempt Social Engineering in Person
        • Example
      • Step 6: Attempt Social Engineering by Dumpster Diving
        • Steps for Dumpster Diving     
      • Step 7: Attempt Social Engineering through Insider Accomplice
        • Accomplice
      • Step 8: Attempt Social Engineering by Shoulder Surfing
      • Step 9: Attempt Social Engineering by Desktop Information
      • Step 10: Attempt Social Engineering by Extortion and Blackmail
      • Step 11: Attempt Social Engineering Using Phishing Attacks
      • Step 12: Attempt Identity Theft
        • Steps for Identity Theft
        • Identity Theft Example
      • Step 13: Try to Obtain Satellite Imagery and Building Blueprints
        • Satellite Picture of a Organization
      • Step 14: Try to Obtain the Details of an Employee from Social Networking Sites
        • Social Engineering Example: LinkedIn Profile
        • Social Engineering Example: Facebook Profile
        • Social Engineering Example: Twitter Profile
        • Social Engineering Example: Orkut Profile
        • Social Engineering Example: MySpace Profile
      • Step 15: Use a Telephone Monitoring Device to Capture Conversation
        • Telephone Recorders and Call Recorders
      • Step 16: Use Video Recording Tools to Capture Images
      • Step 17: Use a Vehicle/Asset Tracking System to Monitor Motor Vehicles
        • Vehicle/Asset Tracking System Examples
        • Spy Gadgets
      • Step 18: Identify “Disgruntled Employees” and Engage in Conversation to Extract Sensitive Information
      • Step 19: Document Everything

  • Web Application Penetration Testing

    • Introduction to Web Applications
    • Web Application Components
    • Web App Pen Testing Phases
      • Fingerprinting Web Application Environment
        • Step 1.1: Manually Browse the Target Website
        • Step 1.2: Check the HTTP and HTML Processing by the Browser
        • HTTP and HTML Analysis Tools
        • Step 1.3: Perform Web Spidering
        • Step 1.4: Perform Search Engine Reconnaissance
        • Step 1.5: Perform Server Discovery
        • Step 1.6: Perform Banner Grabbing to Identify the Target Server
        • Step 1.7: Perform Service Discovery
        • Step 1.8: Identify Server-side Technologies
        • Step 1.9: Identify Server-side Functionality
        • Step 1.10: Investigate the Output from HEAD and OPTIONS HTTP Requests
        • Step 1.11: Investigate the Format and Wording of 404/Other Error Pages
        • Step 1.12: Test for the Recognized File Types/Extensions/Directories
        • Step 1.13: Examine Source of the Available Pages
        • Step 1.14: Manipulate Inputs in Order to Elicit a Scripting Error
        • Step 1.15: Test for Hidden Fields (Discover Hidden Content)
        • Step 1.16: Test for/Discover Default Content
        • Step 1.17: Test for Directory Traversal
        • Step 1.18: Test for Debug Parameters
      • Testing for Web Server Vulnerabilities
        • Step 2.1: Test for Default Credentials
        • Step 2.2: Test for Dangerous HTTP Methods
        • Step 2.3: Test for Proxy Functionality
        • Step 2.4: Test for Virtual Hosting Misconfiguration
        • Step 2.5: Test for Web Server Software Bugs
        • Vulnerability Scanners
        • Step 2.6: Test for Server-side Include Injection Attack
      • Testing Configuration Management
        • Step 3.1: Test the Inner Workings of a Web Application
        • Step 3.2: Test the Database Connectivity
        • Step 3.3: Test the Application Code
        • Step 3.4: Test the Use of GET and POST in the Web Application
        • Step 3.5: Test for Improper Error Handling
        • Step 3.6: Identify Functionality
        • Step 3.7: Identify Entry Points for User Input
        • Step 3.8: Test for Parameter/Form Tampering
        • Step 3.9: Test for URL Manipulation
        • Step 3.10: Test for Hidden Field Manipulation Attack
        • Step 3.11: Map the Attack Surface
        • Step 3.12: Test for Known Vulnerabilities
        • Step 3.13: Perform Denial-of-Service Attack
        • Step 3.14: Check for Insufficient Transport Layer Protection
        • Step 3.15: Check for Weak SSL Ciphers
        • Step 3.16: Check for Insecure Cryptographic Storage
        • Step 3.17: Check for Unvalidated Redirects and Forwards
      • Testing for Client-side Vulnerabilities
        • Step 4.1: Test for Bad Data
        • Step 4.2: Test Transmission of Data via the Client
        • Step 4.3: Test Client-side Controls over User Input
        • Step 4.4: Identify Client-side Scripting
        • Step 4.5: Test Thick-client Components
        • Step 4.6: Test ActiveX Controls
        • Step 4.7: Test Shockwave Flash Objects
        • Step 4.8: Check for Frame Injection
        • Step 4.9: Test with User Protection via Browser Settings
      • Testing Authentication Mechanism
        • Step 5.1: Understand the Mechanism
        • Step 5.2: Test Password Quality
        • Step 5.3: Test for Username Enumeration
        • Step 5.4: Test Resilience to Password Guessing
        • Step 5.5: Test Any Account Recovery Function, and Remember Me Function
        • Step 5.6: Perform Password Brute-forcing
        • Step 5.7: Perform Session ID Prediction/Brute-forcing
        • Step 5.8: Perform Authorization Attack
        • Step 5.9: Perform HTTP Request Tampering
        • Step 5.10: Perform Authorization Attack - Cookie Parameter  Tampering
      • Testing Session Management Mechanism
        • Step 6.1: Understand the Mechanism
        • Step 6.2: Test Tokens for Meaning
        • Step 6.3: Session Token Prediction (Test Tokens for Predictability)
        • Session Token Sniffing
        • Step 6.4: Check for Insecure Transmission of Tokens
        • Step 6.5: Check for Disclosure of Tokens in Logs
        • Step 6.6: Check Mapping of Tokens to Sessions
        • Step 6.7: Test Session Termination
        • Step 6.8: Test for Session Fixation Attack
        • Step 6.9: Test for Session Hijacking
        • Step 6.10: Check for XSRF
        • Step 6.11: Check Cookie Scope
        • Step 6.12: Test Cookie Attacks
      • Testing Authorization Controls
        • Step 7.1: Understand the Access Control Requirements
        • Step 7.2: Testing with Multiple Accounts
        • Step 7.3: Testing with Limited Access
        • Step 7.4: Test for Insecure Access Control Methods
        • Step 7.5:  Test Segregation in Shared Infrastructures
        • Step 7.6: Test Segregation between ASP-hosted Applications
        • Connection String Injection
        • Connection String Parameter Pollution (CSPP) Attacks
        • Connection Pool DoS
      • Testing Data Validation Mechanism
        • Step 8.1: Test for LDAP Injection
      • Testing Web Services
        • Web Services Footprinting Attack
        • Web Services Probing Attacks
        • Step 9.1: Test for XML Structure
        • Step 9.2: Test for XML Content-level
        • Web Services XML Poisoning
        • Step 9.3: Test for WS HTTP GET Parameters/ REST Attacks
        • Step 9.4: Test for Suspicious SOAP Attachments
        • SOAP Injection
        • Step 9.5: Test for XPath Injection Attack
        • Step 9.6: Test for WS Replay
      • Testing for Logic Flaws
        • Step 10.1: Identify the Key Attack Surface
        • Step 10.2: Test for Logic Flaws
        • Step 10.3: Test Multistage Processes
        • Step 10.4: Test Handling of Incomplete Input
        • Step 10.5: Test Trust Boundaries
        • Step 10.6: Test Transaction Logic

  • SQL Penetration Testing

    • Introduction to SQL Injection
    • How Do Web Applications Work?
    • How Does SQL Injection Work?
    • SQL Injection Attack Paths
    • Impact of SQL Injection Attacks
    • Types of SQL Injection Attacks
    • SQL Injection Attack Characters
    • SQL Injection Cheat Sheet
    • SQL Injection Penetration Testing Steps
      • Step 01: List All Input Fields and Hidden Fields of POST Requests
      • Step 02: Perform Information Gathering
      • Step 03: Attempt to Inject Codes into the Input Fields to Generate an Error
      • Step 04: Try to Find SQL Injection Vulnerabilities by Interface
        • GET/POST Requests Interceptor: Burp Suite Tool
      • Step 05: Try to Find SQL Injection Vulnerabilities by Manipulating a Parameter
      • Step 06: Try to Find SQL Injection Vulnerabilities Using Database Errors and Application Response
      • Step 07: Perform Fuzz Testing to Detect SQL Injection Vulnerabilities
      • Step 08: Perform Function Testing to Detect SQL Injection Vulnerabilities
      • Step 09: Perform Static/Dynamic Testing to Detect SQL Injection Vulnerabilities
      • Step 10: Perform Black Box Pen Testing
      • Step 11: Try to Detect SQL Injection Vulnerability Using Automated Web-App Vulnerability Scanners
        • SQL Injection Detection Tool: IBM AppScan
        • SQL Injection Detection Tools
      • Step 12: Perform a Simple SQL Injection Attack
      • Step 13: Perform an Error-based SQL Injection Attack
      • Step 14: Try to Bypass Website Logins Using SQL Injection
      • Step 15: Perform SQL Manipulation Attacks Using a WHERE Clause
      • Step 16: Perform UNION-based SQL Injection
      • Step 17: Perform Blind SQL Injection Attack
        • Blind SQL Injection Attack
      • Step 18: Try to Extract Database Name by Blind SQL Injection
      • Step 19: Try to Extract Database Users by Blind SQL Injection
      • Step 20: Try to Extract Column Names Using Blind SQL Injection
      • Step 21: Try to Enumerate First Table Entry Using Blind SQL Injection
      • Step 22: Try to Extract Data from Rows Using Blind SQL Injection
      • Step 23: Determine Privileges, DB Structure, and Column Names
      • Step 24: Try Advanced Enumeration Techniques
        • Blind SQL Injection Tool: Absinthe
      • Step 25: Perform Code Injection Attack
      • Step 26: Perform Function Call Injection Attack
      • Step 27: Perform Buffer Overflow Attack
      • Step 28: Try to Grab SQL Server Hashes
      • Step 29: Extract SQL Server Hashes
      • Step 30: Try to Transfer Database to a Different Machine
      • Step 31: Extract OS and Application Passwords
      • Step 32: Access System Files and Execute Commands
      • Step 33: Try to Perform Network Reconnaissance
      • Step 34: Try IDS Evasion Using 'OR 1=1 Equivalents
      • Step 35: Try to Evade IDS Using Hex Encoding
      • Step 36: Try to Evade IDS Using Char Encoding
      • Step 37: Try to Evade IDS by Manipulating White Spaces
      • Step 38: Try to Evade IDS Using In-line Comments
      • Step 39: Try to Evade IDS Using Obfuscated Code
        • SQL Injection Penetration Testing Tool: CORE IMPACT Pro
        • SQL Penetration Testing Tool: Safe3SI
        • SQL Penetration Testing Tool: BSQLHacker
        • SQL Penetration Testing Tool: SQL Power Injector
        • SQL Penetration Testing Tool: Havij
        • SQL Penetration Testing Tools
    • Best Practices to Prevent SQL Injection

  • Penetration Testing Reports and Post Testing Actions

    • Penetration Testing Deliverables
      • Penetration Testing Deliverables
      • Goal of the Penetration Testing Report
      • Types of Pen Test Reports
      • Characteristics of a Good Pen Testing Report
      • Delivering Penetration Testing Report
    • Writing Pen Testing Report
      • Writing the Final Report
      • Report Development Process
        • Planning the report
        • Collect and document the information
        • Write a draft report
        • Review and finalization of the report
    • Pen Testing Report Format
      • Sample Pen Testing Report Format
      • Report Format – Cover Letter
      • Document Properties/Version History
      • Table of  Contents/Final Report
      • Summary of Execution
      • Scope of the Project
      • Evaluation Purpose/System Description
      • Assumptions/Timeline
      • Summary of Evaluation, Findings, and Recommendation
      • Methodologies
      • Planning
      • Exploitation
      • Reporting
      • Comprehensive Technical Report
      • Result Analysis
      • Recommendations
      • Appendices
      • Sample Appendix
    • Result Analysis
      • Penetration Testing Report Analysis
      • Report on Penetration Testing
      • Pen Test Team Meeting
      • Research Analysis
      • Pen Test Findings
      • Rating Findings
        • Example of Finding - I
        • Example of Finding - II
      • Analyze
    • Post Testing Actions
      • Prioritize Recommendations
      • Develop Action Plan
      • Points to Check in Action Plan
      • Develop and Implement Data Backup Plan
      • Create Process for Minimizing Misconfiguration Chances
      • Updates and Patches
      • Capture Lessons Learned and Best Practices
      • Create Security Policies
      • Conduct Training
      • Cleanup and Restoration
    • Report Retention
      • Report Retention
      • Destroy the Report
      • Sign-off Document
      • Sign-off Document Template