strengths weakness security interests something fun 2
TRANSCRIPT
Capital Area Cyber Security User Group
CLASS 3Active Information Gathering
the Fine Art of Scanning
Strengths
Weakness
Security Interests
Something Fun
2
Presenter BIO
Give students offensive knowledge to better defend computer networks
Hands-on security training to compliment theory, put theories into practice
◦ “Tell me and I'll forget; show me and I may remember; involve me and I'll understand.”
Knowledge sharing: the power of group learning
3
User group Objective
Group Exercise: What do you seen in the following pictures?
USER GROUP OBJECTIVE Contd.
4
Increase experience with a multitude of security aspects
Network with other security-minded professionals
Play in a safe lab environment not offered at work or home
Earn CPEs to maintain certifications without high costs◦ For CISSP
Preparing and presenting 2 hour presentation = 8 CPEs Participating 1 hour = 1 CPE Updating existing presentation (see ISC2 chart for specifics)
USER GROUP OBJECTIVE Contd.
5
Have your questions answered, bring hard issues that require solutions
Improve public speaking and training skills
USER GROUP OBJECTIVE Contd.
6
7
CEH Certified Ethical Hacker Study Guide Kimberly Graves, 2010
Course Chapters: Chapter 1: Introduction to Ethical Hacking, Ethics, and Legality Chapter 2: Gathering Target Information: Reconnaissance, Footprinting,
and Social Engineering Chapter 3: Gathering Network and Host Information: Scanning and
Enumeration Chapter 4: System Hacking: Password Cracking, Escalating Privileges,
and Hiding Files Chapter 5: Trojans, Backdoors, Viruses, and Worms Chapter 6: Gathering Data from Networks: Sniffers Chapter 7: Denial of Service and Session Hijacking Chapter 8: Web Hacking: Google, Web Servers, Web Application
Vulnerabilities, and Web-Based Password Cracking Techniques Chapter 9: Attacking Applications: SQL Injection and Buffer Overflows Chapter 10: Wireless Network Hacking Wi-Fi and Ethernet Chapter 11: Physical Site Security Chapter 12: Hacking Linux Systems Chapter 14: Cryptography Chapter 15: Performing a Penetration Test
Amazon.com
Class 1: Methodologies and Lab Setup
Class 2: Passive Information Gathering
Class 3: Active Information Gathering (Nessus)
Class 4: Wireless and Wired Network Enumeration
Class 5: Target System Penetration
Class 6: Privilege Escalation, Maintaining Access, and Malware
Class 7: Web Application Penetration
Class 8: Covering Tracks, IDS, Reporting, and Cleanup
Class 9: Metasploit
Class 10: Physical Security (Lock Picking etc.)
Class 11: Capture the Flag
8
Course Agenda
Agenda
Active Information Gathering Ping Port Scan Operating System Fingerprinting Intrusion Detection Systems
Exercises
9
DO NOT perform any activities from this course on any network/system or on a network connected device without proper permission!
Make sure you have written permission and authorization to conduct these activities on any system. Conducting any activities related to penetration testing requires the consent of the owner of the target system and the internet service provider. Failure to obtain consent in the form of a legal contract can result in
fines and imprisonment.
10
Information Systems Security Assessment Framework (ISSAF)
11
Critical Services Key Employees Partner Companies
Company Website, IP and email addresses
Physical address and location
Domain names
Types of operating systems, databases, servers, protocols, and programming languages used (basic)
12
What We Know via Passive Information Gathering?
The process of searching for information that an attacker could potentially use to exploit the target network Identify live systems Map the network Types of operating systems, databases, servers, protocols, and
programming languages used (in-depth) Identify system vulnerabilities
13
What is Active Information Gathering?
Why Do Active Information Gathering?
More information about the target can make the penetration test easier during the later phases ◦ “Know your enemies and know yourself, you will not be imperiled in a
hundred battles.” –Sun Tzu, Art of War “Generally, a hacker spends 90 percent of the time profiling
and gathering information on a target and 10 percent of the time launching the attack.” -Kimberly Graves
“Good hackers will spend 90 – 95 percent of their time gathering information for an attack.” -Walker
14
Why Do Active Information Gathering?
Timing the Attack ◦ Example around patch releases Microsoft Patch Tuesday or Oracle CPU
etc.◦ Off hours such as holidays, vacations, or peak hours
15
Active◦ Touch the device/network or talk to employees (vulnerability scan)
Passive◦ Do not communicate/touch the target such as google searching for
publicly available information.
Active Vs. Passive Information Gathering
16
ICMP and Ping
Internet Control Message Protocol (ICMP) is the part of the TCP/IP protocol suite used to send error messages for network diagnostics
Ping is the most common type of ICMP message Used to verify network connectivity Sends an echo request to a system and waits for an echo
response (only active systems respond) Cannot show which services a system is running
17
Ping Examples
Active system response
Inactive system response
Build Your Own Security Lab18
Question: What does this image tell you?
1) System is down2) Or Blocked
ICMP Message Types
19
Ping Sweep Command-line pinging only allows one system to be pinged at a time Use a ping sweep to scan a large number of systems
SuperScan Angry IP Scanner Nmap
Nmap’s –sn option uses ping and TCP packets to find live hosts
20
Ping Defenses
Many administrators block ping from passing the gateway device
Ensure blocked activity is logged/notifications◦ Configure rules, test, and monitor
Disable running services to prevent ping from identifying active systems Shields Up is a scan that will show what ports and services are open on
a local machine Netstat Currports
21
alert tcp any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg: "TCP ping detected";)
Shields Up
22
Netstat
23
Currports
24
Port Scanning◦ Determine Open Ports and Services
Network Scanning◦ Identify IP address on a network/subnet
Vulnerability Scanning◦ Discover weaknesses on target systems
Types of Scanning
25
Do not scan without permission! Can cause a DOS attack and go to Jail. ISP might drop your scanning attempts and/or blacklist you
Scanning and the Law
26
Kimberly Graves CEH Book
CEH Scanning Methodology
27
Determine when to scan◦ Don’t risk discovery if you already know the host is easy to hack◦ If a specific host is well guarded, opt for a less guarded host or
implement a different strategy such as social engineering
When to Scan
28
Port Scanning
Port scanning probes the 65,535 TCP and UDP ports to discover listening services on a target system An attacker can determine the best means of attacking a system by
knowing the open services and version numbers Most scans only look at first 1024 ports since those ports are
often hacked FTP (20/21) Telnet (23) SMTP (25) DNS (53) TFTP (69) HTTP (80) SNMP (161/162)
29
Ports
Malicious software default ports◦ port 1095 Remote Administration Tool – RAT◦ port 7777 Tini ◦ port 31335 Trinoo◦ port 31337 Back Orifice
Weak protocol ports FTP (20/21) Telnet (23)
Common Windows ports
30
Ports
Common Linux software based ports
Common Apple Used Ports:
Look for software that only runs on a specific O/S
31
Port States
Open – accepting incoming requests Closed – accessible but no application listening on it Filtered – firewall screening the port Unfiltered – determined to be closed, no firewall Open | Filtered – unsure if open or filtered Closed | Filtered – unsure if closed or filtered
32
TCP and UDP
Applications use TCP/UDP ports to use the correct protocols for network communication
TCP uses a three-step handshake to open a data link and a four-step shutdown to close the link A one-byte flag field controls communication (URG, ACK, PSH, RST,
SYN, FIN) Nmap manipulates the flags to identify active systems
UDP does not use handshaking, so it is faster but less reliable and easier to spoof. “Fire and Forget”
33
TCP HandshakesSYN
Sequence # 110 (+1)
SYN ACK(Your) Sequence # 111
(My) Sequence # 225 (+1)
ACK(Your) Sequence # 226(My) Sequence # 111
Data
FINSequence # 310 (+1)
ACK(Your) Sequence # 311
ACK(Your) Sequence # 416
FIN(My) Sequence # 415 (+1)
Startup Process
Shutdown Process
34
TCP Handshakes (Port Numbers in Use)
35
SYN –Initiates connection b/w hosts ACK – Established connection b/w hosts PSH –System is forwarding buffered data URG –Data in packets processed quickly FIN –No more transmissions RST –Resets the connection
TCP Flags
36
Scan Types and Responses
All scans will display RST for closed ports, except for an ACK scan which will return no response.
37
Other Scan Types
RPC scan: determine if open ports are RPC ports Idle scan: use idle host to bounce packets and make the scan harder to
trace
IPID Probe
IPID ResponseIPID = 12345
Victim
Attacker Idle Host
SYN
SYN/ACK
RSTIPID = 12346
IPID Probe
IPID ResponseIPID = 12347
Open Port Idle ScanIPID Probe
IPID ResponseIPID = 12345
Victim
Attacker Idle Host
SYN RST
IPID Probe
IPID ResponseIPID = 12346
Closed Port Idle Scan
38
Port Scanning Tools
GUI-based Nmap, SuperScan
Command line-based Nmap, hping2
Nmap is an open source network mapping and security auditing tool that modifies IP packets to gain information about active systems
39
Nmap
Basic scan options: -sS (TCP SYN) -sT (TCP Full)
TCP Full Connect Example
40
Nmap
Nmap switches:
41
Scan Types
Ping options
Output
Scan Speed
Zenmap
The free cross-platform Nmap GUI Additional features:
Save scan results Save scan options for repetitive scans Sort scans by host, port, and service Display scan results in a more user-friendly format Display a visual interpretation of traceroute
Nmap.org42
root@bt:~# hping2 --scan 1-445 -S localhostScanning localhost (127.0.0.1), port 1-445445 ports to scan, use -V to see all the replies+----+-----------+---------+---+-----+-----+|port| serv name | flags |ttl| id | win |+----+-----------+---------+---+-----+-----+ 111 sunrpc : .S..A... 64 0 32792All replies received. Done.Not responding ports:
Hping2
43
Defend Against Port Scanning
Only keep necessary ports open Periodically check for open ports and close unused ports Employee policies, training, and rules of behavior
Filter traffic through a stateful inspection firewall IDS Change service banners so that they return incorrect information
44
Active OS Fingerprinting
Find high value targets and or weak targets Actively modify and send IP packets to the target to elicit a
response that can identify the host operating system FIN probe, ACK value, Bogus Flag probe
More accurately determine the target OS Nmap’s –O and xprobe2’s listening mode can actively identify
operating systems The target computer can more easily detect active OS
fingerprinting scans
45
Passive Stack Fingerprinting
Stealthier by examining traffic on the network Sniffing vs. Scanning
Less accurate
46
Nmap Fingerprinting
The -O option will try to match response packets to a database of known operating system fingerprints Nmap’s -sV option can identify service banners on open ports
Limiters to speed up scans: -osscan-limit -max-os-tries
47
Defending Against OS Fingerprinting
Block unneeded or suspicious traffic at the firewall Use an Intrusion Detection System (IDS) Set access control lists (ACL) on routers to block
suspicious traffic
48
Intrusion Detection Systems
Intrusion detection systems (IDSs): Inspect network/host activity Identify suspicious traffic and anomalies Snort, Suricata
Two categories of IDS: Network-based intrusion detection systems Host-based intrusion detection systems
IDSs are usually made of multiple software applications and/or hardware devices with the following systems Network sensors Central monitoring system Report analysis Database and storage components Response box
49
IDS Engines
Types of intrusion detection system engines or methods: Signature-based Anomaly-based
Database of attack
signatures
Generate and report alert
Pattern matching
Current Activity
If matched
Signature-based
Learn and update normal
activities
Generate and report
alert
Compare with normal
activitiesCurrent data
Historical data
If characteristic
If uncharacteristic
Anomaly-based
50
Active Information Gathering Tools
Tool Ping Sweep
Port Scan
Passive OS
Active OS
GUI Command Line
Host OS
Nmap Win/Linux
SuperScan Win
Angry IP Scanner Win/Linux
THC-Amap Linux
TCPTraceroute Linux
p0f Win/Linux
xprobe2 Linux
51
Useful information to prepare for social engineering Debt (payoff) Disgruntled (layoffs from Mergers) Vacations Embarrassing information (blackmail)
How to get this information: Run a credit report (illegal without permission)
Find out via facebook status etc. Bugs/Cameras/Spies/Stakeout/Pick Pocket
Scrutinizing Key Employees
52
Kevin Mitnick – Father of social engineering◦ At age 12, socially engineered bus driver to circumvent the punch card
system for LA buses◦ Went on to hacking phones, systems etc. and was captured and put in
solitary confinement due to fears that he could launch a nuclear missile by whistling into a phone
Social Engineering Key Employees
53
WLAN Threat
Wardriving – driving around a target with special equipment to record information about WAPs Equipment: laptop with a wireless network interface controller, GPS device,
antennae and network discovery tools (Kismet) Warwalking – walking around or sitting near a target with a laptop
and other equipment in a backpack Warflying
54
WLAN Threat
Sniff Traffic on the WLAN for Operating Systems Ports/Services Information Passwords Misc Sensitive Information
55
Dial every number until find an unsecured modem Still a problem
◦ Modem backup connection◦ Old and never retired
Tools THC-Scan, PhoneSweep, and Telesweep Prevention
◦ No Modem Policy◦ Strong Passwords◦ Test for Modems using tools◦ Look for Modems (desk to desk checks)
War DialingKismet UI Main View
56
Proxies◦ The proxy is seen as performing bad activities instead of you◦ Free proxies are available to use such as ProxyChains◦ Anonymizer
Caution: choose the right one, Anonymouse.org Useful for blocked sites
Hiding Your Active Information Gathering
57
Spoofing IP Address◦ Nmap can spoof IP◦ Caution: the data you want will go to the spoofed IP instead of you
The Onion Routing (TOR)◦ Anyone can be a TOR endpoint +/-◦ Client bounces internet request via random TOR clients
Tunneling Hiding Files
Hiding Your Active Information Gathering
58
Summary
You should now know specific information about the target system(s)
By knowing the active devices, open ports, running services, and device operating system, you can search for vulnerabilities to exploit and use the listening services to gain more information
Next class: Enumerating Target Systems
Questions?
59
Lab: Active Information Gathering
Lab Overview
Lab setup Exercises
◦ Ping sweep◦ Port scan◦ Banner grabbing◦ Passive OS identification◦ Active OS identification◦ Manual vulnerability identification◦ Automated vulnerability identification (Nessus)
61
Course Lab Setup
62
Host Operating System = Ubuntu (Linux) Virtual Machine = Virtual Box VM’s = Backtrack, Windows (Guest PC and XP-1), badstore Each laptop has its own separate standalone lab environment
How to start the lab environment…1) Open Virtual Box2) Ensure that the Backtrack VM is powered on3) Logon to Backtrack (root/toor) and type startx4) Set the static IP address (.100) 5) Ensure that the badstore VM has the badstore CD
mounted and then start the VM 6) Configure the badstore VM IP address via the following
command:ifconfig eth0 up 10.0.2.200 netmask 255.255.255.0
In the following Scenario, you will need to gather as much information about your target as possible that can be used in planning the attack.
Your target is example.com. The company has hired you to confirm that there security awareness programs and policies are working as intended. In other words, they want you to confirm that employees do not open unnecessary ports /services or use unapproved software which increases the attack surface of the company.
63
Lab Scenario
Lab 3.1 Ping Sweep (nmap)
1. We are going to do a ping sweep of the local subnet. Open a command line terminal in BackTrack
2. Type nmap –sn 10.0.2.0/24 to perform a ping sweep over a range of IP addresses List the IP addresses of running hosts
3. Type nmap -sn --send-ip 10.0.2.15 to run the ping scan using ICMP ping. List the IP addresses of running hosts, has the number changed? If so,
why?
4. Open another command line terminal and type wireshark
5. Use the file menu to open a pcap file, FileOpenDesktopLab3ping-blocked-pcap
6. Review the pcap and note that ping is blocked
64
Lab 3.1 Ping Sweep (nmap)
7. Use the file menu to open additional pcap files, FileOpenDesktopLab3ping-blocked-pcap
FileOpenDesktopLab3ping-allowed-timestamp-allowed-pcap
FileOpenDesktopLab3 ping-blocked-timestamp-allowed-pcap
8. Review and compare the pcap files
65
Lab 3.1 Ping Sweep (superscan)
1. We are going to do a ping sweep of the local subnet. Open the super scan folder on Guest PC, C:\lab-tools\superscan Run superscan SuperScan4.exe
2. Type the start IP (10.0.2.0) and end IP (10.0.2.254) and press the arrow button. From the “Host and Services Discovery Tab” uncheck “UDP port
scan” and “TCP port scan” Then press the play button to perform a ping sweep over a range of
IP addresses List the IP addresses of running hosts
66
Lab 3.1 Ping Sweep (superscan contd.)
3. Now try the same IP range again but with the following settings From the “Scan Options” Tab, uncheck “hide systems with no open
ports” and rerun the scan Note the number of systems now and the information provided View the final scan via the “view html results” button
67
Lab 3.1 Ping Sweep (angryip)
68
Note windows XP/Vista limitations
Lab 3.1 Ping Sweep (angryip)
1. We are going to do a ping sweep of the local subnet. Open angryip from the Guest PC. Navigate to c:\lab-tools\angryip, run the .exe file
2. Type the IP range3. From the file menu select toolspreferences, on the
“scanning” tab check “scan dead hosts”4. Press the start button to perform a ping sweep over a range of
IP addresses List the IP addresses of running hosts and note the duration of the
scan and compare it to the nmap scan.
69
Lab 3.1 Ping Sweep (zenmap)
1. We are going to do a ping sweep of the local subnet. Open zenmap via the Backtrack command terminal: zenmap
2. Type the subnet to scan 10.0.2.0/24 and choose the ping scan profile and then press scan to perform a ping sweep over a range of IP addresses List the IP addresses of running hosts Press ctrl+p or from the menuprofilenew profile, review the
options and note the hints for each option
70
Lab 3.1 Ping Sweep (nessus)
1. We are going to do a ping sweep of the local subnet. Open nessus via the “Nessus Client” shortcut on the Guest PC desktop. (username = visitor, password= qwerty)
2. From the scan tab, launch the “host discovery” scan to perform a ping sweep over a range of IP addresses List the IP addresses of running hosts Review the scan results Open My Documents and then open the pcap files to compare the
pcap of nmap host discovery vs nessus host discovery pcap Which pcap is larger and nosier?
71
Lab 3.2 Port Scanning
1. Now that we know what hosts are running, we can port scan them. Open a command line terminal in BackTrack
2. Type nmap and hit Enter to view a list of options3. Type nmap –sT your_target_IP_address to perform an
Nmap full connect scan List the open ports and services Can you guess the OS from the services? Use –vv to increase the verbosity of the scan output
4. Run the other Nmap scan options and note new information -sS, -sA, -sF, -sV Save scan results using –oN and –oX
72
Lab 3.2 Port Scanning
1. Now that we know what hosts are running, we can port scan them. Open a command line terminal in BackTrack
2. Type wireshark and hit Enter3. Use the file menu to open additional pcap files,
FileOpenDesktopLab3tcp-connection-example
Note the three step handshake capture in the pcap.
73
Lab 3.2 Port Scanning (Nessus)
1. Open Nessus, and from the “scan” tab luanch the port scan2. Review the scan results and note the open ports3. Review the scan policy and note the difference between the
host discovery and port scan policies
74
Lab 3.2 Port Scanning (CurrPorts)
1. Run CurrPorts C:\lab-tools\currports\cports.exe2. CurrPorts will run immediately and will display all ports on
your machine3. Select a port and to to FileProperites. Review the process
ID, port number, and other info.4. You can close a suspicious connection via FileClose
Selected TCP Connections.5. Ensure that XP-1 host is up. From Guest PC, open a
command terminal and type: telnet 10.0.2.60 236. Refresh CurrPorts, and note the suspicious telnet connection.
Follow step 4 above to close the connection.
75
Lab 3.2 Port Scanning (netstat)
1. From the Guest PC command prompt type netstat /? And review the help file
2. Type netstat –a –p tcp 10 List the open ports and services and compare to the nmap/nessus
results (optional) Ensure that XP-1 host is up. From Guest PC, open a
command terminal and type: telnet 10.0.2.60 23 (optional) Review the netstat command and note the telnet
connection
76
Lab 3.3 (a) netcat Banner Grabbing1. We will now try to gain some information from the services listening on the open ports. Open
a command line terminal in BackTrack
2. You will now use the vi text editor to write a simple text file containing some HTTP commands
1. Type vi head.txt to open a new text file called “head.txt” and hit i to insert text
2. Type the following:
GET HEAD / 1.0CRCR
3. Hit Esc to stop inserting text, then hit Shift+z+z to save the file and quit the editor
3. You will now use netcat to try to gain some information from the open port 80 on the target. Type nc –vv 192.168.1.180 80 < head.txt
4. What software and OS is the server running?
77
Lab 3.3 (b) telnet Banner Grabbing
1. We will now try to gain some information from the services listening on the open ports. Open a command line terminal in BackTrack
2. Type :1. telnet 10.0.2.200 802. GET HEAD / 1.0
3. What software and OS is the server running?
78
Lab 3.4 Passive OS Identification
1. We are going to find out what operating system is running on one of Google’s servers. Open a command line terminal in BackTrack and set the DHCP IP address by typing dhclient eth3
2. Then Type: p0f –A3. Open a web browser and go to freebsd.org
Take note of the output in the terminal window
4. Hit Ctrl+C to stop running p0f5. Open Ettercap by typing ettercap –G and start unified sniffing on eth36. Navigate to ViewProfiles7. Navigate to StartStart Sniffing8. Go to freebsd.org again9. Take note of the output in the Ettercap window10. Compare to http://uptime.netcraft.com/up/graph
79
Lab 3.5 Active OS Identification
1. We are going to perform active OS fingerprinting with Nmap and xprobe2
2. Open a command line terminal in BackTrack and type nmap –O your_target_IP_address (that is a capital O) to perform an operating system fingerprint What is the general OS of the Windows machine?
3. Now use xprobe2 to perform host discovery.4. From backtrack menu, applicationBacktrackInformation
GatheringNetwork AnalysisOS Fingerprintingxprobe25. Type ./xprobe2 your_target_IP_address
What is the best guess OS of the target?
80
Lab 3.5 Active OS Identification (Nessus)
1. We are going to perform active OS fingerprinting with Nessus. 2. From the scan tab, launch the “OS Discovery Scan”
Review the results and note which plugin is used for OS discovery Compare the OS results to the NMAP results Review the scan policy to see how OS discovery is enabled
81
Lab 3.6 Anonymous scanning (Spoof IP)
1. From a command line in Backtrack type: wireshark2. Sniff traffic on eth33. Open a command line terminal in BackTrack and type
nmap -S 10.0.2.60 -e eth3 10.0.2.15 Note that the responses do not go to your machine Note that a spoofed IP can be used to frame a competing company and
not just to hide your identify Note the source address and target address in the pcap
Type wireshark and hit EnterUse the file menu to open additional pcap files, FileOpenDesktopLab3spoofed-ip-example
82
Lab 3.6 Anonymous scanning (Anonymizer)
1. From the ubuntu machine use the web browser and navigate to http://anonymouse.org/ Choose English Click on Your Calling Card without Anonymouse and
Your Calling Card with Anonymouse to compare the results.
2. Enter a website to search anonymously and press the “surf anonymously” button
83
Review vulnerabilities at US Cert: http://www.us-cert.gov/cas/bulletins/ (released every Monday, always one week behind)
Pick a vulnerability based on OS/Service in the environment to review and note the following items:◦ The CVE reference number◦ Impact Scores (the higher the score the greater the impact)◦ Vulnerable Versions
Lab 3.7 (a) Finding Vulnerabilities (US Cert)
84
Use Hackerstorm to review vulnerabilities◦ Go to http://www.hackerstorm.com/start.html to start the OSVDB
hackerstorm tool◦ Click the OSVDB search button at the bottom of the home screen.
Scroll through the vendors and choose Putty, and then click the view button.
◦ From the next screen choose view all. Review the vulnerabilities listed and click one to view details. From the tool you can see the description, solution, references, etc.
◦ Note that this tool make it easy to search for vulnerabilities both old and new by vendor etc.
Lab 3.7 (b) Finding Vulnerabilities (OSVDB)
85
From the Nessus scan tab, launch the “Internal Network Scan”◦ Review the scan results and look for vulnerabilities that are exploitable◦ Review the and investigate patches that can be applied to fix an
exploitable vulnerability◦ Review the vulnerability via US CERT
Lab 3.7 (c) Finding Vulnerabilities (Nessus)
86
http://www.dc-cybersecurity.com/ http://www.amazon.com/Certified-Ethical-Hacker-All-Guide/dp/0071772294 http://www.amazon.com/Certified-Ethical-Hacker-Study-Guide/dp/0470525207/r
ef=sr_1_1?s=books&ie=UTF8&qid=1323531433&sr=1-1 http://www.amazon.com/Build-Your-Own-Security-Lab/dp/0470179864/ref=sr_1
_1?s=books&ie=UTF8&qid=1323535901&sr=1-1
http://en.wikipedia.org/wiki/Kevin_Mitnick Oceans 11 clip: http://www.youtube.com/watch?v=Shg__OqtEwY http://www.independent.co.uk/news/uk/this-britain/rafs-wartime-reconnaissance-
photos-go-online-in-new-archive-1825926.html?action=gallery&ino=6 www.anywho.com people.yahoo.com www.zabasearch.com www.peoplesearchnow.com www.ZoomInfo.com www.facebook.com www.Linkedin.com
87
Resources
http://www.backtrack-linux.org/ http://www.de-ice.net/ National Vulnerability Database (nvd.nist.gov) Exploit-Database (exploit-db.com) Securitytracker (www.securitytracker.com) Securiteam (www.securiteam.com) Hackerstorm Vulnerability Research (www.hackerstorm.com) Hackerwatch (www.hackerwatch.org) SecurityFocus (www.securityfocus.com) Security Magazine (www.securitymagazine.com) SC Magazine (www.scmagazine.com) www.myspace.com http://investigatrixx.wordpress.com/2008/10/03/how-to-conduct-your-own-stake-out-surveill
ance/ http://www.ehow.com/how_4829346_run-credit-check-somebody.html http://bobarno.com/thiefhunters/2009/08/atm-credit-card-fraud-sweden/
Resources
88
http://investigatrixx.wordpress.com/2008/10/03/how-to-conduct-your-own-stake-out-surveillance/
http://www.ehow.com/how_4829346_run-credit-check-somebody.html http://bobarno.com/thiefhunters/2009/08/atm-credit-card-fraud-sweden/ Sarah Palin http://www.youtube.com/watch?v=vgRA8oTk8ig&feature=related http://www.youtube.com/watch?v=4pnKbibi6QY http://en.wikipedia.org/wiki/Robin_Sage http://mirror.anapnea.net/hbgary/aaron_hbgary_com/attachments/5482.pdf www.wigle.net http://archives.cnn.com/2002/TECH/internet/08/22/net.internalmemos/ http://wikileaks.org/ http://johnny.ihackstuff.com/ghdb/ http://uptime.netcraft.com/up/graph www.geektools.com/whois.php www.arin.net http://www.us-cert.gov/cas/bulletins/ www.netstumbler.com
Resources
89
http://www.hackerstorm.com/start.html http://www.visualroute.com http://www.iwebtool.com/link_extractor http://it.toolbox.com/blogs/managing-infosec/google-hacking-master-list-28302 http://cirt.net/passwords www.spyfu.com http://www.zillow.com http://www.google.com/finance www.Hoovers.com www.Archive.org http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_So
cial_Engineer_Toolkit_(SET)
www.mailtracker.com http://www.emailtrackerpro.com/demo.html http://www.wikihow.com/Dumpster-Dive www.kismetwireless.net
Resources
90
PDF mapping tools to the different phases of Pen testing.
Review the list of tools and pick tools that you know and can demonstrate or that you would like to learn more about.
91
List of Tools
List of Tools
CEH Certified Ethical Hacker
All-in-One Exam Guide Amazon.com
Social Engineering Toolkit Maltego
92
Parking lot Topics
93
Suggestions for Improvement
• TBD