Aren't tools meant for script kiddies? One of the FAQ questions that exist on the CEH site. It's fitting and honest that they decided to include it.
Day One
Module One1. Intro2. Concepts
3. Lock Picking
4. DDOS Overview
5. General Overiew of rootkits
6. MD5 of Files
7. Rootkit example
There are 1,000's of potential hackers with the ability to break into banks.
Linux is still the penetration testors main tool
As little as 20 machines can be used for a DDOS attack
Line Speed plays a factor for DDOS attacks
End-user awareness 's are need for increasing internal company security
Normal Locks can easily be picked, no security without physical security first
EXEs formatted with jpg icons can cause end-users to run a virius easily.
SID 500 = administrator account
Administrator account never gets locked out.
There are many methologies for penetration testing
There is a concept of Rings in an OS User Mode ring 3, and Kernal Mode ring 0.
Applications in ring 3 cannot talk directly to hardware.
Rootkits can't be detected.
Module Two1. Calling phone extentions outside of work hours
2. TsWeb / TsGrinder Overview
3. Querying Google for stuff
4. Wayback machine for old data
Keyboard loggers
USB autoruns are a big security issue in companies, using competitions / old USB pens, with viri on them for employees to re-use.
TTL descreases by 1 when hopping routers and also when in router buffer. 1 sec in router buffer = -1 from TTL.
The backbone internet routers decide which ip address ranges are private.
requests go all the way to backbone internet routers.
zabasearch.com
NetCraft.com shows when server was last patched, based on last restart (not clustered etc).
Search for mail MX domain for email headers
robtex shows domains hosted in an ISP / same block range.
Linux Commands, dhcpcd, request dhcp address
VMWare related the hostname to the MAC address
8088 - 8bit processer
16bit registry = 20bit address
Password Hash insertion = administrator inserts a hash vs. where a user changes their password.
Linux, ifconfig, for ipconfig
Linux, HDA = IDA, SDA = SCSI
System File has syskey, 128bit, used to encrypt SAM DB
Day Two
Module Four1. TCP2. Network Chemistry Demo
3. OSI
4. TCP, ACK/SYN
5. Packizers / Ergeo Packer Buffer
DDOS and UDP
SMB, is for NT command across the network
DNS = Zone Transfer = TCP 53
DNS, UDP = 512 bytes max data size, Zone transfers bigger than 512 bytes uses TCP.
Trojans run on ports, internet has list of common ports and associated trojans
Relay, a host machine with opened ports.
Avg. MTU on the internet is 512 (ATM networks)
TCP Flags, multiple can be set at the one time
You can fingerprint OS's based on how they respond to multiple variations of packets.
No Packet Fragmentation in UDP
Fragmentation through the firewall, has problems as it allows fragmentented packets to slip through to hosts on other ports
TCP/IP can overlap a previously sent packet when it's being re-built on the client TCP adapter
Windows Ping Data = '''A-Z''
Linux Ping Data = '''0-90-
RST/ACK is normal internet activity
Module Five
Null Session = NetBIOS utilities
NETBIOS, is originally a join venture of IBM and Microsoft.
NETBIOS = Programmer
NETBIU = Network, atmost a subset of NETBIOS
WINS/LMHOST file uses NBT = NETBIOS Over TCP/IP
95/NT/ME all use NBT
Null Session is for network Neighbourhood, NETSEND for user accounts
Send email, Outlook uses lookups for addresses
Day Three
Module Six1. Overview of Cryptography2. hashing overview
3. Rainbow tables
4. IPSEC
5. Nessus
When company encrypts email with their private key it proves that that company wa the one who sent it. As they are the only one's with the key.
Forsensic, hash drives to provve that they have not hampered with the data, before and after they investigate.
SSL roll keys, security policy
Symentric, uses same key to lock/unlock
Asymetric, public key to encrypt / private key to decrypt.
NETBIOS = LMHash
Rainbow tables, hashlookup table
14 characters, everything on keyboard, english = 83Gig in size; 166gig if you add one more character
IPSEC encrpyts data
tunnelling encrypts IP
Passwords should be over 14 characters, use pass phrase, will not store in LM hash.
Module Seven1. Buffer Overrun / overflow
2. MetaSploit
Race Condition, multiple users doing something
debug cmd.exe -t
4 Registry settings in every intel.
*D1 - data coding
*D2 - data sedment
*SS - stack segment
*IP - instruction pointer
CPU has it's own stack
NOP - no operation instruction in CPU, can be used to insert into process queue to change a virus signature.
Segments in Intel CPU
*Code
*Data
*Stack
*Extended
Stack overflow writes over stack, and returns processing back to the stack to call bad code
NOP slide, allows for bad instructions to be more easily executed
Module Eight1. Malware
2. HiJackthis
3. NetCat
4. Creating basic virus
5. elitewrap.exe
6. auto runs
7. repackaging software
Module Nine1. Windows Hacking
2. Keystroke Logging
3. LC5
4. Passwords, NTLM, NTHASH
5. Sniffing
6. Kerberos
7. Covering Tracks
8. Data Streams
Application Vuneribility Testing
Debugger, used to terminiate if buffer overflow is working
