White Hat Hacker Training

Definitions: Threat, Vulnerability, Risk, Exposure

Types of Attacks: Active Attack, Passive Attack, Insider Threat, External Attack

Concept of Ethical Hacking and Penetration Testing

Types of Ethical Hacking and Penetration Tests:

• Network Security Testing

• Web Application Testing

• Client-Side Testing

• Wireless Security Testing

Limitations of Ethical Hacking and Penetration Testing Approaches

Alternative Approaches for Identifying Security Vulnerabilities

Overview of Testing Methodologies:

• OSSTMM

• NIST 800-42

• OWASP

• Penetration Testing Execution Standard (PTES)

Common Tools and Exploit Resources for Ethical Hacking

Test Environments and Operational Considerations

Overview of Ethical Hacking and Penetration Testing Phases

Scoping and “Rules of Engagement” in Penetration Testing

Step-by-Step Testing Methodology in Ethical Hacking

Reporting Process:

• Essential Report Content

• Key Considerations

Legal and Compliance Considerations During Testing

First Phase of Ethical Hacking: Information Gathering

• Asset Inventory within Scope

• Search Engine and Web-Based Reconnaissance

• Whois Enumeration

• IP Block Allocation and Regional Internet Registries (ARIN, RIPE, etc.)

• DNS Enumeration (nslookup, recurse/norecurse queries, dig, zone transfer)

• Information Gathering with Maltego

• Google Hacking and GHDB (Google Hacking Database)

Scanning Phase and Scanning Techniques

• Introduction to Scanning Techniques

• Tips and Best Practices During the Scanning Phase

• Using Sniffers During Scanning: Benefits and tcpdump Overview

• Network Scanning Tools: Angry IP Scanner and ICMPQuery

• Scanning with Hping: Advanced Packet Crafting and Reconnaissance

• Network Tracing: Traceroute and Network Path Mapping

• Port Scanning Techniques

  • Understanding TCP & UDP Protocols: Impact on Port Scanning Strategies

  • Introduction to Advanced Port Scanning with Nmap:

    • Packet Trace Analysis

    • Timing Options

    • Ping and Traceroute Integration

  • Nmap TCP Scanning Methods:

    • TCP Connect Scan

    • SYN (Stealth) Scan

    • ACK Scan

    • FTP Bounce Scan

  • UDP Port Scanning with Nmap

  • Operating System and Version Detection

    • OS Fingerprinting Techniques:

      • Active Methods

      • Passive Techniques

    • Version Detection: Identifying Service Versions Using Nmap and Amap

    • Vulnerability Scanning

      • Approaches to Vulnerability Scanning

      • Overview of Nmap Scripting Engine (NSE)

        • Script Categories

        • Practical NSE Usage Examples

      • Scanning with Nessus: Setup and Execution

      • Nexpose: Installation, Configuration and Vulnerability Assessment

      • Overview of Other Vulnerability Scanners

      • User Account Enumeration & Netcat Usage

        • User Enumeration Techniques:

          • Windows Null Session

          • Finger Service

          • LDAP Enumeration

        • Advanced Netcat Usage Scenarios:

          • Remote Shell Access

          • File Transfer

          • Port Listening and Redirection

What is an Exploit?

• Definition and objectives of exploiting vulnerabilities.

• Real-world examples and impact of exploit execution.

Exploit Categories

• Server-Side Exploits: Targeting services and daemons.

• Client-Side Exploits: Leveraging user interaction (e.g., browser-based or document-based).

• Local Privilege Escalation: Gaining elevated privileges on compromised systems.

• Introduction to Metasploit Framework

  • Architecture and purpose of Metasploit in ethical hacking.

  • Setting up and launching exploitation environments.

  Metasploit Module Types

  • Exploit: Delivery mechanism for vulnerabilities.

  • Payload: Code executed on the target system.

  • Stager: Initial code loader for complex payloads.

  • Stage: Main payload component delivered by the stager.

  • Meterpreter Overview

    • Capabilities of the Meterpreter payload.

    • Interactive shell, system control, pivoting, screenshot, and keylogging features.

    • Non-Metasploit Exploits

      • Manual exploitation techniques using public PoC (Proof of Concept) code.

      • ExploitDB, GitHub, and other reliable sources.

      • Shell Access Challenges and Terminal Limitations

        • Common post-exploitation shell issues (e.g., limited shell, broken encoding).

        • Solutions: Upgrading to fully interactive shell, PTY allocation.

        • Netcat Relay Scenarios

          • File redirection, port forwarding, reverse shells.

          • Practical multi-host attack simulations using nc.

          • Post-Exploitation Activities

            • File Transfer Techniques: certutil, PowerShell, FTP, SMB shares.

            • Data Gathering on Compromised Hosts:

              • Enumeration of users, privileges, and network configurations.

              • Extraction of credentials, tokens, and browser data.

              • Remote Command Execution in Windows

                • Utilizing tools like:

                  • PsExec

                  • at scheduler

                  • schtasks

                  • sc

                  • wmic

                  • Advanced Windows Command-Line Techniques

                    • Using WMIC, PowerShell, Netsh, and Reg for stealthy operations.

                    • Living-off-the-land binaries (LOLBins) usage.

                    • Client-Side Exploitation Techniques

                      • Delivering malicious payloads via:

                        • Malicious PDFs, Office Macros, or browser exploits.

                      • Practical Exercise: Exploiting a vulnerable PDF reader or browser using Metasploit.

Introduction to Password Cracking and Guessing Techniques

• Fundamental approaches to password brute-forcing and dictionary attacks.

• Strategies to optimize attack success and reduce false positives.

Tips for Conducting Effective Password Attacks

• Best practices and methodologies for different attack vectors.

• Bypassing account lockout and implementing delay logic.

• Account Lockout Scenarios on Windows and Linux

  • Windows: Account Policy, Lockout Threshold, Audit Logs.

  • Linux/Unix: PAM (Pluggable Authentication Module) configurations, faillog, pam_tally2.

  • Password Guessing with THC-Hydra

    • Using Hydra for brute-force and dictionary attacks over protocols like SSH, FTP, HTTP, SMB.

    Using Pw-inspector

    • Filtering and preparing custom wordlists for password attacks.

    • Password Hash Formats

      Windows SAM Hashes

      • Structure and location of password hashes in the Security Accounts Manager (SAM) database.

      Active Directory Hash Storage

      • Storage of NTLM hashes in NTDS.dit.

      • Secure channel communication and replication issues.

      • LANMAN and NT Hash Algorithms

        • LANMAN (LM): Weak hash algorithm, case-insensitive, padding mechanisms.

        • NT Hash (NTLM): MD4-based hashing, Unicode support.

      • Windows Network Authentication Protocols

        • LANMAN Challenge/Response

        • NTLMv1 and NTLMv2 Challenge/Response

        • Microsoft Kerberos Authentication Workflow

        Linux/Unix Password Hash Formats

        • /etc/shadow file structure.

        • Hashing algorithms used: MD5, SHA-256, SHA-512, bcrypt.

        Capturing Password Hashes

        • Tools and techniques:

          • Pwdump6, Fgdump, Mimikatz, Metasploit’s hashdump and priv modules.

        John the Ripper (JtR)

        • Introduction to JtR as a password cracking utility.

        • Configuration: john.conf or john.ini files.

        • Modes: Single crack, wordlist, incremental, external.

        • Output Files:

          • john.pot: Cracked passwords storage.

          • john.rec: Recovery checkpoint file.

        Patches and Distributed Cracking with JtR

        • MPI/OpenMP support.

        • Use of john --fork, john --node, and GPU acceleration.

        Cain & Abel

        • Graphical password recovery and sniffing tool.

        • Features:

          • Sniffer Module for traffic interception.

          • ARP Poison Routing to perform MITM attacks.

          • Hash extraction and injection capabilities.

        Rainbow Tables

        • Concept of precomputed hash chains.

        • Trade-offs: storage vs. computation.

        • Generation and usage with tools like rtgen, rcrack.

        Using Ophcrack with Rainbow Tables

        • GUI and live CD support for automated hash recovery.

        • Real-time NTLM hash cracking demonstrations.

        Pass-the-Hash (PtH) Technique

        • Authentication without knowing plaintext passwords.

        • Tools:

          • Pshtoolkit for Linux-based PtH.

          • Metasploit modules for remote hash injection.

          • SMBClient, WMI, and WinRM for lateral movement using hashes.

Wireless Network Vulnerabilities

• Common weaknesses in Wi-Fi environments, including authentication bypass, encryption flaws, and rogue access points.

Hardware Selection for Wireless Security Testing

• Wireless NICs supporting monitor mode and packet injection (e.g., Alfa AWUS036ACH).

• Directional and omnidirectional antennas.

• GPS modules for geolocation tagging.

Wireless Networking Basics

• IEEE 802.11b/g channel allocation and frequency bands.

• SSID broadcasting and suppression.

• 802.11 authentication and association handshakes.

Wireless Network Discovery Techniques

• Interface modes: Managed vs. Monitor.

• Passive and active scanning strategies.

Sniffing Wireless Traffic

• Capturing and analyzing 802.11 frames.

Kismet for Wireless Sniffing

• Real-time packet capturing, client/AP mapping, and signal analysis.

NetStumbler and Cain for Wireless Discovery

• Windows-based tools for access point identification and signal strength measurement.

SSID Cloaking

• Hiding network names and its implications on security and detection.

Cryptographic Attacks on Wireless Networks

WEP (Wired Equivalent Privacy)

• Basics, encryption weaknesses, IV reuse vulnerabilities.

WPA/WPA2

• Pre-shared key (PSK) and enterprise mode.

• Temporal Key Integrity Protocol (TKIP) vs. AES-CCMP.

Attack Tools

• Aircrack-ng suite for cracking WEP/WPA handshakes.

• CoWPAtty for dictionary-based attacks on WPA.

Wireless Client Attacks

• Rogue AP and Evil Twin attacks.

• Airpwn, AirJack, Karma, Karmasploit for client spoofing, session hijacking, and MitM.

Web Applications

Introduction to Web Applications

• Architecture and common technologies (HTTP, HTTPS, cookies, sessions).

Web Server Vulnerabilities

• Default configurations, outdated software, and information disclosure.

Nikto for Vulnerability Scanning

• Automated tool for discovering misconfigurations and outdated versions.

Manual Confirmation of Nikto Findings

• Validating discovered issues through manual HTTP requests.

Paros Proxy Overview

• Intercepting and modifying HTTP requests/responses.

• Integrated scanner and request editor.

• Built-in hash calculator and parameter analyzer.

Injection Attacks

Cross-Site Request Forgery (CSRF/XSRF)

• Forging authenticated requests from a victim browser.

Cross-Site Scripting (XSS)

• Reflected XSS: Input echoed immediately.

• Stored XSS: Persistent injection in databases or logs.

Command Injection

• Executing system-level commands via unsanitized input.

• Blind Command Injection: Output not visible to attacker.

SQL Injection (SQLi)

• Modifying backend SQL queries via user input.

• Executing system commands through SQLi.

• Blind SQL Injection: Infer data via boolean/time-based techniques.