-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.html
11723 lines (11654 loc) · 521 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html lang="en">
<head>
<link rel="icon" href="./favico.png" sizes="32x32" type="image/png">
<link rel="shortcut icon" href="./favico.ico" />
<meta name="viewport" content="width=device-width, initial-scale=0.41, maximum-scale=0.8" />
<title>CEH v10 - Unofficial Study Guide - 2020</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"
integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
<link rel="stylesheet" href="./index.css">
<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js"
integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN"
crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js"
integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q"
crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js"
integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl"
crossorigin="anonymous"></script>
<script>
$(document).ready(function() {
$('#sidebar, #content').toggleClass('active');
});
$(function () {
$('#sidebarCollapse').on('click', function () {
$('#sidebar, #content').toggleClass('active');
}
);
});
</script>
<link rel="stylesheet" href="https://pro.fontawesome.com/releases/v5.10.0/css/all.css"
integrity="sha384-AYmEC3Yw5cVb3ZcuHtOA93w35dYTsvhLPVnYs9eStHfGJvOvKxVfELGroGkvsg+p" crossorigin="anonymous" />
<link rel="stylesheet"
href="https://cdnjs.cloudflare.com/ajax/libs/malihu-custom-scrollbar-plugin/3.1.5/jquery.mCustomScrollbar.min.css">
</head>
<body >
<div class="container-xs" >
<div class="row ">
<div class="vertical-nav col-sm-2 col-2 bg-info container-fluid" style="background: #3498db;" id="sidebar">
<ul class="nav flex-column bg-info mb-0 ">
<li class="nav-item">
<a style="font-size: small;" class="nav-link text-light font-italic " href="#zero"> 0-Introduction to
Ethical Hacking</a>
</li>
<li class="nav-item">
<a style="font-size: small;" class="nav-link text-light font-italic" href="#one">1-Reconnaissance
and Footprinting</a>
</li>
<li class="nav-item">
<a style="font-size: small;" class="nav-link text-light font-italic" href="#two">2-Scanning and
Enumeration</a>
</li>
<li class="nav-item">
<a style="font-size: small;" class="nav-link text-light font-italic" href="#three">3-System Hacking</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#four">4-Malware Threats</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#five">5-Sniffing</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#six">6-Social Engineering</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#seven">7-Evading IDS, Firewalls
and Honeypots</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#eight">8-Denial of Service</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#nine">9-Session Hijacking</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#ten">10-Hacking Web Servers</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#eleven">11-Hacking Web
Applications</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#twelve">12-Hacking Wireless
Networks</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#thirteen">13-Hacking Mobile
Platforms and IoT</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#fourteen">14-Pentesting</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#fifteen">15-Cloud Computing</a>
</li>
<li class="nav-item">
<a class="nav-link text-light font-italic" style="font-size: small;" href="#sixteen">16-Cryptography</a>
</li>
</ul>
</div>
</div>
<div class="row">
<div class="page-content p-5 col-10 col-sm-10 " id="content">
<!-- Toggle button -->
<button id="sidebarCollapse" type="button" style="top:1% ;left:-50%; position: -webkit-sticky;position: sticky;"
class="btn btn-dark bg-dark rounded-pill sticky-top shadow-sm px-4 mb-4">
<span class="navbar-toggler-icon "><i class="fas fa-bars" style="color:#fff; font-size:28px;"></i></span>
</button>
<p align="center">
<img width="100%"
src="https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/55c29341ff0f4bedab9817654b06cde10e2a4ed2/CEH-banner.jpg">
</p>
<h2>Index</h2>
<ol start="0">
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/0-Introduction.md">Introduction
to
Information Security and Ethical Hacking</a></li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/1-Reconnaissance-and-Footprinting.md">Reconnaissance
and Footprinting</a></li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/2-Scanning-and-Enumeration.md">Scanning
and Enumeration</a></li>
<li><a href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/3-System-Hacking.md">System
Hacking</a></li>
<li><a href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/4-Malware.md">Malwares</a>
</li>
<li><a href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/5-Sniffing.md">Sniffing</a>
</li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/6-Social-Engineering.md">Social
Engineering</a></li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/7-Evading-IDS-Firewalls-and-Honeypots.md">Evading
IDS, Firewalls and Honeypots</a></li>
<li><a href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/8-Denial-of-Service.md">Denial
of
Service</a></li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/9-Session-Hijacking.md">Session
Hijacking</a></li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/10-Hacking-Web-Servers.md">Hacking
Web Servers</a></li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/11-Hacking-Web-Applications.md">Hacking
Web Applications</a></li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/12-Hacking-Wireless-Networks.md">Hacking
Wireless Networks</a></li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/13-Hacking-Mobile-Platforms-and-IoT.md">Hacking
IoT and Mobile Platforms</a></li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/14-Pentesting.md">Pentesting</a>
</li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/15-Cloud%2520Computing.md">Cloud
Computing</a></li>
<li><a
href="https://github.com/Samsar4/CEH-v10-Study-Guide/blob/master/modules/16-Cryptography.md">Cryptography</a>
</li>
</ol>
<hr>
<h1 id="zero">0. Introduction</h1>
<h2><u> Fundamental Security Concepts </u></h2>
<p>The whole principle is to avoid <strong>Theft, Tampering and Disruption</strong> of the systems through
<strong>CIA
Triad</strong> (Confidentiality, Integrity and Availability).</p>
<p align="center">
<img width="50%" src="https://i.ytimg.com/vi/AJTJN4wDBM8/hqdefault.jpg">
</p>
<ul>
<li>
<p><strong>Confidentiality</strong>
Keeping systems and data from being accessed, seen, read to anyone who is not authorized to do so.</p>
</li>
<li>
<p><strong>Integrity</strong>
Protect the data from modification or deletion by unauthorized parties, and ensuring that when authorized
people
make changes that shouldn't have been made the damage can be undone.</p>
</li>
<li>
<p><strong>Availability</strong>
Systems, access channels, and authentication mechanisms must all be working properly for the information
they
provide and protect to be available when needed.</p>
</li>
</ul>
<p><strong>Note:</strong> <em>In addition, other properties, such as authenticity, accountability,
non-repudiation and
reliability can also be involved. (ISO/IEC 27000:2009)</em></p>
<ul>
<li>
<p><strong>Auditing & Accountability</strong>
Basically keep tracking of everthing, like, who's been logging in when are they loggin in whose access
this
data.</p>
</li>
<li>
<p><strong>Non-Repudiation</strong>
Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a
legal
concept that is widely used in information security and refers to a service, which provides proof of the
origin
of data and the integrity of the data.</p>
</li>
</ul>
<h3><strong>Security, Functionality and Usability balance</strong></h3>
<p>There is an inter dependency between these three attributes. When <strong>security goes up, usability and
functionality come down</strong>. Any organization should balance between these three qualities to arrive at
a
balanced information system.</p>
<p align="center">
<img width="50%"
src="https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/f14455ed4def635e1bc93b85657f43dbbf4a3127/triad2.png">
</p>
<h2><u>Types of Hackers</u></h2>
<p align="center">
<img width="50%" src="https://www.simplilearn.com/ice9/free_resources_article_thumb/types-hacker.JPG">
</p>
<blockquote>
<ul>
<li><strong>Black Hat</strong> - Hackers that seek to perform malicious activities.</li>
<li><strong>Gray Hat</strong> - Hackers that perform good or bad activities but do not have the permission
of the
organization they are hacking against.</li>
<li><strong>White Hat</strong> - Ethical hackers; They use their skills to improve security by exposing
vulnerabilities before malicious hackers.</li>
</ul>
</blockquote>
<p><strong>Script Kiddie / Skiddies</strong> - Unskilled individual who uses malicious scripts or programs, such
as a
web shell, developed by others to attack computer systems and networks and deface websites.</p>
<p><strong>State-Sponsored Hacker</strong> - Hacker that is hired by a government or entity related.</p>
<p><strong>Hacktivist</strong> - Someone who hacks for a cause; political agenda.</p>
<p><strong>Suicide Hackers</strong> - Are hackers that are not afraid of going jail or facing any sort of
punishment;
hack to get the job done.</p>
<p><strong>Cyberterrorist</strong> - Motivated by religious or political beliefs to create fear or disruption.
</p>
<h2><u>Hacking Vocabulary</u></h2>
<ul>
<li><strong>Hack value</strong> - Perceived value or worth of a target as seen by the attacker.</li>
<li><strong>Vulnerability</strong> - A system flaw, weakness on the system (on design, implementation etc).
</li>
<li><strong>Threat</strong> - Exploits a vulnerability.</li>
<li><strong>Exploit</strong> - Exploits are a way of gaining access to a system through a security flaw and
taking
advantage of the flaw for their benefit.</li>
<li><strong>Payload</strong> - Component of an attack; is the part of the private user text which could also
contain
malware such as worms or viruses which performs the malicious action; deleting data, sending spam or
encrypting
data.</li>
<li><strong>Zero-day attack</strong> - Attack that occurs before a vendor knows or is able to patch a flaw.
</li>
<li><strong>Daisy Chaining / Pivotting</strong> - It involves gaining access to a network and /or computer and
then
using the same information to gain access to multiple networks and computers that contains desirable
information.
</li>
<li><strong>Doxxing</strong> - Publishing PII about an individual usually with a malicious intent.</li>
<li><strong>Enterprise Information Security Architecture</strong> (EISA) - determines the structure and
behavior of
organization's information systems through processes, requirements, principles and models.</li>
</ul>
<h2><u> Threat Categories </u></h2>
<ul>
<li>
<p><strong>Network Threats</strong></p>
<ul>
<li>Information gathering</li>
<li>Sniffing and eavesdropping</li>
<li>DNS/ARP Poisoning</li>
<li>MITM (Man-in-the-Middle Attack)</li>
<li>DoS/DDoS</li>
<li>Password-based attacks</li>
<li>Firewall and IDS attack</li>
<li>Session Hijacking</li>
</ul>
</li>
<li>
<p><strong>Host Threats</strong></p>
<ul>
<li>Password cracking</li>
<li>Malware attacks</li>
<li>Footprinting</li>
<li>Profiling</li>
<li>Arbitrary code execution</li>
<li>Backdoor access</li>
<li>Privilege Escalation</li>
<li>Code Execution</li>
</ul>
</li>
<li>
<p><strong>Application Threats</strong></p>
<ul>
<li>Injection Attacks</li>
<li>Improper data/input validation</li>
<li>Improper error handling and exeception management</li>
<li>Hidden-field manipulation</li>
<li>Broken session management</li>
<li>Cryptography issues</li>
<li>SQL injection</li>
<li>Phishing</li>
<li>Buffer Overflow</li>
<li>Information disclosure</li>
<li>Security Misconfigurations</li>
</ul>
</li>
</ul>
<h2><u> Attack Vectors </u></h2>
<p><em>Path by which a hacker can gain access to a host in order to deliver a payload or malicious outcome</em>
</p>
<ul>
<li>
<p><strong>APT - Advanced Persistent Threats</strong></p>
<ul>
<li>An advanced persistent threat is a stealthy threat actor, typically a nation state or state-sponsored
group,
which gains unauthorized access to a computer network and remains undetected for an extended period;
Typically
uses zero day attacks.</li>
</ul>
</li>
<li>
<p><strong>Cloud computing / Cloud based technologies</strong></p>
<ul>
<li>Flaw in one client's application cloud allow attacker to access other client's data</li>
</ul>
</li>
<li>
<p><strong>Viruses, worms, and malware</strong></p>
<ul>
<li>Viruses and worms are the most prevalent networking threat that are capable of infecting a network
within
seconds.</li>
</ul>
</li>
<li>
<p><strong>Ransomware</strong></p>
<ul>
<li>Restricts access to the computer system's files and folders and demands an online ransom payment to
the
attacker in order to remove the restrictions.</li>
</ul>
</li>
<li>
<p><strong>Mobile Device threats</strong></p>
</li>
<li>
<p><strong>Botnets</strong></p>
<ul>
<li>Huge network of compromised systems used by an intruder to perform various network attacks</li>
</ul>
</li>
<li>
<p><strong>Insider attacks</strong></p>
<ul>
<li>Disgruntled employee can damage assets from inside.</li>
<li>Huge network of compromised hosts. (used for DDoS).</li>
</ul>
</li>
<li>
<p><strong>Phishing attacks</strong></p>
</li>
<li>
<p><strong>Web Application Threats</strong></p>
<ul>
<li>Attacks like SQL injection, XSS (Cross-site scripting)...</li>
</ul>
</li>
<li>
<p><strong>IoT Threats</strong></p>
</li>
</ul>
<h2><u>Attack Types</u></h2>
<h3>1. Operating System</h3>
<p><em>Attacks targeting OS flaws or security issues inside such as guest accounts or default passwords.</em>
</p>
<blockquote>
<ul>
<li><strong>Vectors</strong>: Buffer overflows, Protocol Implementations, software defects, patch levels,
authentication schemes</li>
</ul>
</blockquote>
<h3>2. Application Level</h3>
<p><em>Attacks on programming code and software logic.</em></p>
<blockquote>
<ul>
<li><strong>Vectors</strong>: Buffer overflows, Bugs, XSS, DoS, SQL Injection, MitM</li>
</ul>
</blockquote>
<h3>3. Misconfiguration</h3>
<p><em>Attack takes advantage of systems that are misconfigured due to improper configuration or default
configuration.</em></p>
<blockquote>
<ul>
<li><strong>Examples</strong>: Improper permissions of SQL users; Access-list permit all</li>
</ul>
</blockquote>
<h3>4. Shrink-Wrap Code</h3>
<p><em>Act of exploiting holes in unpatched or poorly-configured software.</em></p>
<blockquote>
<ul>
<li><strong>Examples</strong>: Software defect in version 1.0; DEfect in example CGI scripts; Default
passwords
</li>
</ul>
</blockquote>
<h2><u>Vulnerabilities</u></h2>
<ul>
<li><strong>CVSS - Common Vulnerability Scoring System</strong> <a
href="https://nvd.nist.gov/vuln-metrics/cvss">[+]</a>
<ul>
<li>Places numerical score based on severity</li>
<li><img
src="https://3.bp.blogspot.com/-5V1cb_wTvsk/Wl78iF4Sd8I/AAAAAAAAF7U/KmK4pMXi54YworDgh4uI8aZtHgy0bbznQCLcBGAs/s1600/CVSS.png"
alt="cvss"></li>
</ul>
</li>
<li><strong>CVE – Common Vulnerabilities and Exposures</strong> <a href="https://cve.mitre.org/">[+]</a>
<ul>
<li>Is a list of publicly disclosed vulnerabilities and exposures that is maintained by MITRE.</li>
<li><img
src="https://i0.wp.com/gbhackers.com/wp-content/uploads/2016/10/cve.png?resize=486%252C408&ssl=1"
alt="cve"></li>
</ul>
</li>
<li><strong>NVD - National Vulnerability Database</strong> <a href="https://nvd.nist.gov/">[+]</a>
<ul>
<li>is a database, maintained by NIST, that is fully synchronized with the MITRE CVE list; US Gov.
vulnerabilities repository.</li>
</ul>
</li>
</ul>
<h3>Vulnerability Categories</h3>
<ul>
<li><strong>Misconfiguration</strong> - improperly configuring a service or application</li>
<li><strong>Default installation</strong> - failure to change settings in an application that come by default
</li>
<li><strong>Buffer overflow</strong> - code execution flaw</li>
<li><strong>Missing patches</strong> - systems that have not been patched</li>
<li><strong>Design flaws</strong> - flaws inherent to system design such as encryption and data validation
</li>
<li><strong>Operating System Flaws</strong> - flaws specific to each OS</li>
<li><strong>Default passwords</strong> - leaving default passwords that come with system/application</li>
</ul>
<h2><u>Pen test Phases (CEH)</u></h2>
<ol>
<li><strong>Pre-Attack Phase</strong> - Reconnaissance and data-gathering.</li>
<li><strong>Attack Phase</strong> - Attempts to penetrate the network and execute attacks.</li>
<li><strong>Post-Attack Phase</strong> - Cleanup to return a system to the pre-attack condition and deliver
reports.
</li>
</ol>
<blockquote>
<p>⚠️ For the exam, EC-Council brings his own methodology and that's all you need for the exam; you can check
another pentesting methodologies <a
href="https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies">here</a>
if you are interested; In case you are studying to become a professional pentester besides certification
content,
I recommend the <a href="https://www.isecom.org/research.html">OSSTMM</a> (Open Source Security Testing
Methodology Manual).</p>
</blockquote>
<h2><u>The Five Stages of Ethical Hacking</u></h2>
<h3>1. <strong>Reconnaissance</strong></h3>
<p><em>Gathering evidence about targets</em>; There are two types of Recon:</p>
<ul>
<li><strong>Passive Reconnaissance</strong>: Gain information about targeted computers and networks
<strong>without
direct interaction with the systems</strong>.
<ul>
<li>e.g: Google Search, Public records, New releases, Social Media, Wardrive scanning networks around.
</li>
</ul>
</li>
<li><strong>Active Reconnaissance</strong>: Envolves direct interaction with the target.
<ul>
<li>e.g: Make a phone call to the target, Job interview; tools like Nmap, Nessus, OpenVAS, Nikto and
Metasploit
can be considered as Active Recon.</li>
</ul>
</li>
</ul>
<h3>2. <strong>Scanning & Enumeration</strong></h3>
<p><em>Obtaining more in-depth information about targets.</em></p>
<ul>
<li>e.g: Network Scanning, Port Scanning, Which versions of services are running.</li>
</ul>
<h3>3. <strong>Gaining Access</strong></h3>
<p><em>Attacks are leveled in order to gain access to a system.</em></p>
<ul>
<li>e.g: Can be done locally (offline), over a LAN or over the internet.
<ul>
<li>e.g(2): Spoofing to exploit the system by pretending to be a legitimate user or different systems,
they can
send a data packet containing a bug to the target system in order to exploit a vulnerability.</li>
<li>Can be done using many techniques like command injection, buffer overflow, DoS, brute forcing
credentials,
social engineering, misconfigurations etc.</li>
</ul>
</li>
</ul>
<h3>4. <strong>Maintaining Access</strong></h3>
<p><em>Items put in place to ensure future access.</em></p>
<ul>
<li>e.g: Rookit, Trojan, Backdoor can be used.</li>
</ul>
<h3>5. <strong>Covering Tracks</strong></h3>
<p><em>Steps taken to conceal success and intrusion; Not be noticed.</em></p>
<ul>
<li>e.g: Clear the logs; Obfuscate trojans or malicious backdoors programs.</li>
</ul>
<h2>Three Types of Active Defense</h2>
<ul>
<li><strong>Annoyance</strong>
<ul>
<li>Involves tracking a hacker and leading him into a fake server, wasting his time — and making him easy
to
detect.</li>
</ul>
</li>
<li><strong>Attribution</strong>
<ul>
<li>Identify an attacker; Uses tools to trace the source of an attack back to a specific location, or even
an
individual hacker.</li>
</ul>
</li>
<li><strong>Attack</strong>
<ul>
<li>That is most controversial. To “hack back,” a company accesses an alleged hacker’s computer to delete
its
data or even to take revenge. Both of these steps are considered illegal.</li>
</ul>
</li>
</ul>
<h2><u> Information Assurance (IA) </u></h2>
<p><em>Refers to the assurance of the Integrity, Availability, confidentiality, and authenticity of information
and
information systems during usage, processing, storage and transmission of information.</em></p>
<ul>
<li><strong>Processes that help achieving IA:</strong>
<ul>
<li>Developing local policy, process, and guidance.</li>
<li>Designing network and user authetication strategy.</li>
<li>Identifying network vulnerabilities and threats (Vulnerability assessments outline the security
posture of
the network).</li>
<li>Idenfitying problems and resource requirements.</li>
<li>Creating plan for identified resource requirements.</li>
<li>Applying appropriate IA controls.</li>
<li>Performing C&A (Certification and Accreditation) process of information systems helps to trace
vulnerabilities, and implement sa fety measures.</li>
<li>Providing information assurance training to all personnel in federal and private org.</li>
</ul>
</li>
</ul>
<h2><u>Information Security Management Program </u></h2>
<p><em>Combination of policies, processes, procedures, standards, and guidelines to establish the required
<strong>level of information security.</strong></em></p>
<ul>
<li>Designed to ensure the business operates in a state of reduced risk.</li>
<li>It encompasses all organizational and operational processes and participants relevant to information
security.
</li>
</ul>
<p><img
src="https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/950220d4b802bb726fe84470c7a13055b056a621/infosec.jpg"
alt="infosec"></p>
<blockquote>
<p>⚠️ <strong>IA</strong> focus on risk assessment, mitigation side of things;
⚠️ <strong>InfoSec</strong> focus on actually implementing security measures to safeguard systems.</p>
</blockquote>
<h2><u>EISA - Enterprise Information Security Architecture</u></h2>
<p><em>Set of requirements, process, principles, and models that determines the structure and behavior of an
organization's information systems.</em></p>
<ul>
<li><strong>Goals of EISA</strong>:
<ul>
<li>Help in monitoring and detecting network behaviors</li>
<li>Detect and recover from security breaches</li>
<li>Prioritizing resources of an organization</li>
<li>Help to perform risk assessment of an organization's IT assets.</li>
<li>Cost prospective when incorporated in security provisions such as incident response, disaster
recovery,
event correlation, etc.</li>
</ul>
</li>
</ul>
<h2><u>Physical Security Controls</u></h2>
<ul>
<li>
<p><strong>Preventive control</strong>: Deters the actor from performing the threat.</p>
<ul>
<li>e.g: Fence, Server Locks, Mantraps, etc.</li>
</ul>
</li>
<li>
<p><strong>Detective control</strong>: Recognizes an actor's threat.</p>
<ul>
<li>e.g: Background check, CCTV.</li>
</ul>
</li>
<li>
<p><strong>Deterrent control</strong>: Deters the actor from <strong>attempting</strong> the threat.</p>
<ul>
<li>e.g: Warning Sign.</li>
</ul>
</li>
<li>
<p><strong>Recovery</strong>: Mitigates the impact of a manifested threat.</p>
<ul>
<li>e.g: Backups.</li>
</ul>
</li>
<li>
<p><strong>Compensating control</strong>: Provides alternative fixes to any of the above functions.</p>
</li>
</ul>
<p><em>Most of security controls are preventive phase controls</em>.</p>
<p>⚠️ <strong>Defense in Depth</strong>: Multiple layers of security controls; Provides redundancy in the event
of a
control failure. (e.g.: image below)</p>
<p><img
src="https://www.fairwarning.com/wp-content/uploads/2019/03/Defense-in-Depth-for-Cloud-Security-Rainbow-Diagram.png"
alt="defense-in-depth"></p>
<h3>Types of Security Controls</h3>
<table>
<thead>
<tr>
<th>Description</th>
<th>Examples</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Physical</strong></td>
<td>Guards, lights, cameras, fire extinguishers, flood protection</td>
</tr>
<tr>
<td><strong>Administrative</strong></td>
<td>Training awareness, policies, procedures and guidelines to infosec</td>
</tr>
<tr>
<td><strong>Technical</strong></td>
<td>IDS/IPS, Firewall, Encryption, Smart cards, Access control lists</td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th>Description</th>
<th>Examples</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Preventative</strong></td>
<td>authentication, alarm bells</td>
</tr>
<tr>
<td><strong>Detective</strong></td>
<td>audits, backups</td>
</tr>
<tr>
<td><strong>Corrective</strong></td>
<td>restore operations</td>
</tr>
</tbody>
</table>
<h2><u>Managing the Risk</u></h2>
<p><strong>Risk</strong> can be defined as a probability of the occurrence of a threat or an event that may
damage, or
cause loss or have other negative impact either from internal or external liabilities.</p>
<h3>Risk matrix</h3>
<p>A <strong>risk matrix</strong> is used during <strong>risk assessment</strong> to define the level of risk by
considering the category of <strong>probability or likelihood</strong> against the category of consequence
<strong>severity</strong>.
</p>
<ul>
<li>This is a simple mechanism to increase visibility of risks and assist management decision making.</li>
</ul>
<p><img src="https://paladinrisk.com.au/wp-content/uploads/2018/11/risk-1-1024x434.jpg" alt="matrix"></p>
<h3>Risk Management</h3>
<p><em>Is the identification, evaluation, and prioritization of risks followed by coordinated and economical
application of resources to minimize, monitor, and control the probability or impact of unfortunate events
or to
maximize the realization of opportunities.</em></p>
<h3>Phases of Risk Management</h3>
<p align="center">
<img width="60%"
src="http://informeanual.abengoa.com/export/sites/abengoa_ia/2010/resources/images/responsabilidad_social/C12ING/12.6.jpg">
</p>
<ul>
<li><strong>Risk Identification</strong>
<ul>
<li>Identifies the sources, causes, consequences of the internal and external risks.</li>
</ul>
</li>
<li><strong>Risk Assessment</strong>
<ul>
<li>Assesses the org. risk and provides an estimate on the likelihood and impact of the risk</li>
</ul>
</li>
<li><strong>Risk Treatment</strong>
<ul>
<li>Selects and implements appropriate controls on the identified risks</li>
</ul>
</li>
<li><strong>Risk Tracking</strong>
<ul>
<li>Ensures appropriate control are implemented to handle risks and identifies the chance of a new risk
occurring</li>
</ul>
</li>
<li><strong>Risk Review</strong>
<ul>
<li>Evaluates the performance of the implemented risk management strategies</li>
</ul>
</li>
</ul>
<h3>Threat Modeling</h3>
<p>Is a risk assessment approach for analyzing the security of an application by capturing, organizing and
analyzing
all the information that affects the security of an application.</p>
<ol>
<li>Identify Objectives
<ul>
<li>Helps to determine how much effort needs to be put on subsequent steps</li>
</ul>
</li>
<li>Application Overview
<ul>
<li><strong>Identify the components</strong>, data flows, and trust boundaries</li>
</ul>
</li>
<li>Decompose Application
<ul>
<li>Find <strong>more relevant details on threats</strong></li>
</ul>
</li>
<li>Identify Threats
<ul>
<li>Identify threats relevant to your control scenario and context using the information obtained in steps
2 and
3</li>
</ul>
</li>
<li>Identify Vulnerabilities
<ul>
<li><strong>Identify weaknesses</strong> related to the threats found using vulnerability categories</li>
</ul>
</li>
</ol>
<h2><u>Security Policies</u></h2>
<ol>
<li><strong>Policies</strong> - High-level statements about protecting information; Business rules to
safeguard CIA
triad; Security Policies can be applied on Users, Systems, Partners, Networks, and Providers.
<ul>
<li><strong>Common Security Policies examples:</strong></li>
<li>Password Policy
- Meet the password complexity requirements.
- e.g: Minimum 8 char length, upper and lower case and alphanumerical.</li>
<li>Wireless Security Policy</li>
<li>AUP - Acceptable Use-Policy
- How to properly use company's assets
- e.g: "Do's and Dont's" with company's computer.</li>
<li>Data Retention Policy
- e.g: Keep the data for X time.</li>
<li>Access Control Policies
- e.g: Accessing servers; Firewalls</li>
</ul>
</li>
<li><strong>Procedures</strong> - Set of details steps to accomplish a goal; Instructions for implementation
</li>
<li><strong>Guidelines</strong> - Advice on actions given a situation; Recommended, not mandatory</li>
</ol>
<h2>Security Policy - Examples</h2>
<ul>
<li>
<p><strong>Access Control Policy</strong></p>
<ul>
<li>This defines the resources being protected and the rules that control access to them</li>
</ul>
</li>
<li>
<p><strong>Remote Access Policy</strong></p>
<ul>
<li>This defines who can have remote access and defines access medium and remote access security controls.
</li>
</ul>
</li>
<li>
<p><strong>Firewall Management Policy</strong></p>
<ul>
<li>This defines access, management and monitoring of firewalls in an organization.</li>
</ul>
</li>
<li>
<p><strong>Network Connection Policy</strong></p>
<ul>
<li>This defines who can install new resources on the network, approve the installation of new devices,
document
network changes etc.</li>
</ul>
</li>
<li>
<p><strong>Password Policy</strong></p>
<ul>
<li>This defines guidelines for using strong password protection on available resources.</li>
</ul>
</li>
<li>
<p><strong>User Account Policy</strong></p>
<ul>
<li>This defines the account creation process, authority, rights and responsibility of user accounts.</li>
</ul>
</li>
<li>
<p><strong>Information Protection Policy</strong></p>
<ul>
<li>This defines the sensitivity levels of information, who may have access, how it is stored and
transmitted,
and how it should be deleted from storage media etc.</li>
</ul>
</li>
<li>
<p><strong>Special Access Policy</strong></p>
<ul>
<li>This defines the terms and conditions of granting special access to system resources.</li>
</ul>
</li>
<li>
<p><strong>Email Security Policy</strong></p>
<ul>
<li>This policy is designed to govern the proper usage of corporate email.</li>
</ul>
</li>
<li>
<p><strong>Acceptable Use Policy</strong></p>
<ul>
<li>This defines the acceptable use of system resources.</li>
</ul>
</li>
</ul>
<h2>Security Policiy - Types</h2>
<ol>
<li>
<p><strong>Promiscuous Policy</strong> - This policy usually has no restrictions on usage of system
resources.</p>
</li>
<li>
<p><strong>Permissive Policy</strong> - This policy begins wide open and only know dangerous
services/attacks or
behaviors are blocked. This type of policy has to be updated regularly to stay effective.</p>
</li>
<li>
<p><strong>Prudent Policy</strong> - This policy provides maximum security while allowing known but
necessary
dangers. This type of policy will block all services and only safe/necessary services are enabled
individually.
Everything is logged.</p>
</li>
<li>
<p><strong>Paranoid Policy</strong> - This policy forbids everything. No Internet connection or severely
restricted Internet usage is allowed.</p>
</li>
</ol>
<h2>Security Policy - Creation Steps</h2>
<ol>
<li>Perform a Risk Assessment</li>
<li>Use security Standards and Frameworks as guide</li>
<li>Get Management and Staff input</li>
<li>Enforce the policy. Use penalties for non-compliance</li>
<li>Publish final draft to entire org.</li>
<li>Have all staff read/sign that they understood policy</li>
<li>Employ tools to help enforce policy</li>
<li>Staff training</li>
<li>Review and update regularly</li>
</ol>
<h2><u>Incident Management Process</u></h2>
<p><em>An incident is an event that could lead to loss of, or disruption to, an organization's operations,
services or
functions.</em></p>
<p><em><strong>Incident management</strong> is a term describing the activities of an organization to identify,
analyze, and correct hazards to prevent a future re-occurrence.</em></p>
<ol>
<li><strong>Preparation:</strong> Select people, assign rules, define tools to handle the incident.</li>
<li><strong>Detection & Analysis:</strong> Determine an incident has ocurred (IDS, SIEM, AV, Someone
reporting,
etc).</li>
<li><strong>Classification and Prioritization:</strong></li>
<li><strong>Notification:</strong> Identify minor and major incident; who and how to notify an incident.</li>
<li><strong>Containment:</strong> Limit the damage; Isolate hosts; Contact system owners.</li>
<li><strong>Forensic Investigation:</strong> Investigate the root cause of the incident using forensic tools;
System
logs, real-time memory, network device logs, application logs, etc;</li>
<li><strong>Eradicate & Recovery:</strong> Remove the cause of incident; Patch if needed. Recovery: get
back
into production; Monitor affected systems.</li>
<li><strong>Post-incident Activities:</strong> Document what happened and why; Transfer knowledge.</li>
</ol>
<h3>Incident Response Team Duties</h3>
<ol>
<li>Managing security issues by taking a proactive approach towards the customer's security vulnerabilities
</li>
<li>Developing or reviewing processes and procedures that must be followed</li>
<li>Managing the response to an incident and ensuring that all procedures are followed correctly in order to
minimize and control the damage</li>
<li>Identifying and analyzing what has happened during an incident, including impact and threat</li>
<li>Providing a single point of contact for reporting seucirty incidents and issues</li>
<li>Reviewing changes in legal and regulatory requirements to ensure that all processes and procedures are
valid
</li>
<li>Reviewing existing controls and recommending steps and technologies to prevent future incidents</li>
<li>Establishing relationship with local law enforcement agency, gov. agencies, key partners and suppliers
</li>
</ol>
<h3>SIEM - Security Information and Event Management</h3>
<p align="center">
<img width="90%" src="https://secureops.com/wp-content/uploads/2020/01/components-of-siem.jpg">
</p>
<p><em>Collects data points from network, including log files, traffic captures, SNMP messages, and so on, from
every
host on the network. SIEM can collect all this data into one centralized location and correlate it for
analysis to
look for security and performance issues, as well negative trends all in real time.</em></p>
<ul>
<li>
<p><strong>Aggregation</strong>: Collecting data from disparate sources and organizing the data into a
single
format. Any device within a SIEM system that collects data is called collector or an aggregator.</p>
</li>
<li>
<p><strong>Correlation</strong>: Is the logic that looks at data from disparate sources and can make
determinations about events taking place on your network. (Could be in-band or out-of-band, depending on
the
placement of the NIDS/NIPS).</p>
<ul>
<li><strong>Alerts</strong> - For notification if something goes bad.</li>
<li><strong>Triggering</strong> - Exceeding thresholds.</li>
</ul>
</li>
<li>
<p><strong>Normalization</strong>: Will actually create multiple tables / organize in such a way that the
data can
become more efficient and allows our analysis and reports tools to work better.</p>
</li>
<li>
<p><strong>WORM - Write Once Read Many</strong>: The concept being is that log files are precious, and a lot
of
times you might want to look at them in an archival way, so that we can use optical media like WORM drives
to
store them.</p>
</li>
</ul>
<h4>Most Popular SIEM Tools:</h4>
<ul>
<li><strong><a href="https://www.splunk.com/">Splunk</a></strong>
<img
src="https://www.splunk.com/content/dam/splunk2/images/screenshots/platform-journey/conflaunch/SS-UI-Light-Mode-frame.png"
alt="splunk">
</li>
</ul>
<br>
<ul>
<li><strong><a
href="https://www.microfocus.com/en-us/products/siem-security-information-event-management/overview">ArcSight</a></strong>
<img src="https://i.ytimg.com/vi/N7J0EwdbKF0/maxresdefault.jpg" alt="arcsight">
</li>