23
Page 1 EC-Council Certified Security Analyst (ECSA) EC-Council http://www.eccouncil.org
Page 1
EC-Councilhttp://www.eccouncil.org
EC-Council Certifi ed Security Analyst (ECSA)
EC-Council http://www.eccouncil.org
Page
2
EC-Councilhttp://www.eccouncil.org
IntroductionEC-Council Certifi ed Security Analyst (ECSA) complements the Certifi ed Ethical Hacker (CEH) certi-fi cation by exploring the analytical phase of ethical hacking. While CEH exposes the learner to hacking tools and technologies, ECSA takes it a step further by exploring how to analyze the outcome from these tools and technologies. Through groundbreaking penetration testing methods and techniques, ECSA class helps students perform the intensive assessments required to effectively identify and mitigate risks to the security of the infrastructure.
This makes ECSA a relevant milestone towards achieving EC-Council’s Licensed penetration Tester, which also ingrains the learner in the business aspect of penetration testing. The Licensed Penetration Tester standardizes the knowledge base for penetration testing professionals by incorporating the best practices followed by experienced experts in the fi eld.
The objective of EC-Council Certifi ed Security Analyst is to add value to experienced security profes-sionals by helping them analyze the outcomes of their tests. ECSA leads the learner into the advanced stages of ethical hacking.
Advanced Penetration Testing and Security AnalysisThe ECSA/LPT training program is a highly interactive 5-day security class designed to teach Security Professionals the advanced uses of the available methodologies, tools and techniques required to perform comprehensive information security tests. Students will learn how to design, secure and test networks to protect your organization from the threats hackers and crackers pose. By teaching the LPT methodology and ground breaking techniques for security and penetration testing, this class will help you perform the intensive assessments required to effectively identify and mitigate risks to the security of your infrastructure. As students learn to identify security problems, they also learn how to avoid and eliminate them, with the class providing complete coverage of analysis and network security-testing topics.
Page 3
EC-Councilhttp://www.eccouncil.org
RequirementsPass exam 412-79 to achieve EC-Council Certifi ed Security Analyst (ECSA) certifi cation. Benefi tsECSA is for experienced hands in the industry and is backed by a curriculum designed by the best in the fi eld. Greater industry acceptance as seasoned security professional. Learn to analyze the outcomes from using security tools and security testing techniques. Requirement for the LPT certifi cation.Certifi cation
Exam Students will be prepared for EC-Council’s ECSA exam 412-79 on the last day of the class.This certifi cation is also pre-requisite to EC-Council’s Licensed Penetration Tester Program.
Frequently Asked Questions1. How does ECSA deliver value to a security professional like me?ECSA teaches you to interpret and analyze outcomes you come across during routine and exceptional security testing. It helps you analyze the symptoms and pin point the causes of those symptoms which refl ect the security posture of the network.
2. Why should I take ECSA when I am already certifi ed as a security professional?Most security certifi cations highlight the management aspects or the technical aspects alone. ECSA helps you bridge the gap to a certain extent by helping you detect the causes of security lapses and what implications it might carry for the management. This leads you to a step closer to becoming a licensed penetration tester, where you become a complete penetration testing professional.
3. How does ECSA deliver value to the enterprise’s security team?Having an ECSA on your enterprise security team will enhance value to the team as you would have a professional aboard who is exposed to advanced security testing and profi cient to make studied analysis of the situation.
4. How is ECSA different from CEH?CEH exposes the learner to various hacking tools and techniques, while ECSA exposes the learner to the analysis and interpretation of results obtained from using those tools and techniques.
5. I have over three years experience in the industry. Should I opt for ECSA instead of CEH?ECSA is not a replacement for CEH. CEH provides the learner with the foundation ground over which you can fortify your skills using knowledge gained from ECSA
Page
4
EC-Councilhttp://www.eccouncil.org
6. How long is the training? The ECSA and LPT training are combined into a single ECSA/LPT Certifi cation Boot camp class. The duration of this boot camp is 5 days. You will be prepared for ECSA and LPT certifi cation at the end of this class.
7. What is the cost of the exam?The ECSA exam costs USD 300.00
Course DescriptionECSA/LPT is a security class like no other! Providing real world hands on experience, it is the only in-depth Advanced Hacking and Penetration Testing class available that covers testing in all modern infra-structures, operating systems and application environments.
EC-Council’s Certifi ed Security Analyst/LPT program is a highly interactive 5-day security class de-signed to teach Security Professionals the advanced uses of the LPT methodologies, tools and techniques required to perform comprehensive information security tests. Students will learn how to design, secure and test networks to protect your organization from the threats hackers and crackers pose. By teach-ing the tools and ground breaking techniques for security and penetration testing, this class will help you perform the intensive assessments required to effectively identify and mitigate risks to the security of your infrastructure. As students learn to identify security problems, they also learn how to avoid and eliminate them, with the class providing complete coverage of analysis and network security-testing topics.
Who Should AttendNetwork server administrators, Firewall Administrators, Security Testers, System Administrators and Risk Assessment professionals.
Duration: 5 days (9:00 – 5:00) Certifi cation
Page 5
EC-Councilhttp://www.eccouncil.org
Course Outline v4
ECSA/LPT Certifi cation BootcampModule 1: The Need for Security AnalysisWhat Are We Concerned About?So What Are You Trying To Protect?Why Are Intrusions So Often Successful?What Are The Greatest Challenges?Environmental ComplexityNew TechnologiesNew Threats, New ExploitsLimited FocusLimited ExpertiseAuthenticationAuthorizationConfi dentialityIntegrityAvailabilityNonrepudiationWe Must Be Diligento:p>Threat AgentsAssessment QuestionsHow Much Security is Enough?Risk Simplifying RiskRisk AnalysisRisk Assessment Answers Seven QuestionsSteps of Risk Assessment Risk Assessment ValuesInformation Security AwarenessSecurity policiesTypes of PoliciesPromiscuous PolicyPermissive Policy
Page
6
EC-Councilhttp://www.eccouncil.org
Prudent PolicyParanoid PolicyAcceptable-Use PolicyUser-Account PolicyRemote-Access PolicyInformation-Protection PolicyFirewall-Management PolicySpecial-Access PolicyNetwork-Connection PolicyBusiness-Partner PolicyOther Important PoliciesPolicy StatementsBasic Document Set of Information Security Policies ISO 17799Domains of ISO 17799No Simple SolutionsU.S. LegislationCalifornia SB 1386 Sarbanes-Oxley 2002Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA)USA Patriot Act 2001 U.K. LegislationHow Does This Law Affect a Security Offi cer? The Data Protection Act 1998 The Human Rights Act 1998Interception of CommunicationsThe Freedom of Information Act 2000 The Audit Investigation and Community Enterprise Act 2005
Module 2: Advanced Googling Site Operator intitle:index.oferror | warninglogin | logonusername | userid | employee.ID | “your username is”password | passcode | “your password is”
Page 7
EC-Councilhttp://www.eccouncil.org
admin | administratoradmin login–ext:html –ext:htm –ext:shtml –ext:asp –ext:php inurl:temp | inurl:tmp | inurl:backup | inurl:bakintranet | help.deskLocating Public Exploit SitesLocating Exploits Via Common Code StringsSearching for Exploit Code with Nonstandard ExtensionsLocating Source Code with Common StringsLocating Vulnerable TargetsLocating Targets Via Demonstration Pages“Powered by” Tags Are Common Query Fodder for Finding Web Applications Locating Targets Via Source CodeVulnerable Web Application ExamplesLocating Targets Via CGI ScanningA Single CGI Scan-Style Query Directory ListingsFinding IIS 5.0 ServersWeb Server Software Error MessagesIIS HTTP/1.1 Error Page Titles “Object Not Found” Error Message Used to Find IIS 5.0Apache Web ServerApache 2.0 Error PagesApplication Software Error MessagesASP Dumps Provide Dangerous DetailsMany Errors Reveal Pathnames and FilenamesCGI Environment Listings Reveal Lots of InformationDefault PagesA Typical Apache Default Web PageLocating Default Installations of IIS 4.0 on Windows NT 4.0/OPDefault Pages Query for Web ServerOutlook Web Access Default PortalSearching for PasswordsWindows Registry Entries Can Reveal PasswordsUsernames, Cleartext Passwords, and Hostnames!
Page
8
EC-Councilhttp://www.eccouncil.org
Module III: TCP/IP Packet AnalysisTCP/IP ModelApplication LayerTransport LayerInternet LayerNetwork Access LayerComparing OSI and TCP/IPAddressingIPv4 AddressesIP Classes of AddressesReserved IP AddressesPrivate AddressesSubnettingIPv4 and IPv6Transport LayerFlow ControlThree-Way HandshakeTCP/IP ProtocolsTCP HeaderIP HeaderIP Header: Protocol FieldUDPTCP and UDP Port NumbersPort NumbersTCP OperationSynchronization or 3-way HandshakeDenial of Service (DoS) AttacksDoS Syn Flooding AttackWindowingAcknowledgementWindowing and Window SizesSimple WindowingSliding WindowsSequencing NumbersPositive Acknowledgment and Retransmission (PAR)UDP OperationPort Numbers Positioning between Transport and Application Layer (TCP and UDP)
Page 9
EC-Councilhttp://www.eccouncil.org
Port Numbershttp://www.iana.org/assignments/port-numbersWhat Makes Each Connection Unique?Internet Control Message Protocol (ICMP)Error Reporting and Error CorrectionICMP Message DeliveryFormat of an ICMP MessageUnreachable NetworksDestination Unreachable MessageICMP Echo (Request) and Echo ReplyDetecting Excessively Long RoutesIP Parameter ProblemICMP Control MessagesICMP RedirectsClock Synchronization and Transit Time EstimationInformation Requests and Reply Message FormatsAddress MasksRouter Solicitation and Advertisement
Module 4: Advanced Sniffi ng TechniquesWhat is Wireshark?Wireshark: FiltersIP Display FiltersExampleWireshark: TsharkWireshark: EditcapWireshark: MergecapWireshark: Text2pcapUsing Wireshark for Network TroubleshootingNetwork Troubleshooting MethodologyUsing Wireshark for System AdministrationARP ProblemsICMP Echo Request/Reply Header LayoutTCP FlagsTCP SYN Packet Flags Bit Field Capture Filter ExamplesScenario 1: SYN no SYN+ACK
Page
10
EC-Councilhttp://www.eccouncil.org
Scenario 2: SYN Immediate Response RST Scenario 3: SYN SYN+ACK ACK § Using Wireshark for Security AdministrationDetecting Internet Relay Chat ActivityWireshark as a Detector for Proprietary Information TransmissionSniffer DetectionWireless Sniffi ng with Wireshark AirPcapUsing Channel HoppingInterference and CollisionsRecommendations for Sniffi ng WirelessAnalyzing Wireless Traffi cIEEE 802.11 HeaderIEEE 802.11 Header FieldsFiltersFiltering on Source MAC Address and BSSIDFiltering on BSSIDFilter on SSIDWireless Frame Types FiltersUnencrypted Data Traffi cIdentifying Hidden SSIDsRevealed SSIDIdentifying EAP Authentication FailuresIdentifying the EAP TypeIdentifying Key Negotiation PropertiesEAP Identity DisclosureIdentifying WEPIdentifying TKIP and CCMPIdentifying IPSec/VPNDecrypting Traffi cScanningTCP Connect ScanSYN ScanXMAS ScanNull ScanRemote Access TrojansNetBus Analysis
Page 11
EC-Councilhttp://www.eccouncil.org
Trojan Analysis Example NetBus Analysis
Module 5: Vulnerability Analysis with NessusNessusFeatures of NessusNessus Assessment ProcessNessus: ScanningNessus: EnumerationNessus: Vulnerability DetectionConfi guring NessusUpdating Nessus Plug-InsUsing the Nessus ClientStarting a Nessus ScanGenerating ReportsData GatheringHost Identifi cationPort Scan SYN scanTimingPort Scanning Rules of ThumbPlug-in SelectionDangerous pluginsScanning Rules of Thumb Report GenerationReports: ResultIdentifying False Positives Suspicious SignsFalse PositivesExamples of False Positives Writing Nessus PluginsWriting a PluginInstalling and Running the PluginNessus Report with output from our pluginSecurity Center http://www.tenablesecurity.com
Page
12
EC-Councilhttp://www.eccouncil.org
Module 6: Advanced Wireless TestingWireless ConceptsWireless Concepts802.11 TypesCore Issues with 802.11What’s the Difference?Other Types of WirelessSpread Spectrum BackgroundChannelsAccess PointService Set IDDefault SSIDsChipsetsWi-Fi EquipmentExpedient AntennasVulnerabilities to 802.1x and RADIUSWired Equivalent PrivacySecurity - WEPWired Equivalent PrivacyExclusive OREncryption ProcessChipping SequenceWEP IssuesWEP - Authentication PhaseWEP - Shared Key Authentication WEP - Association PhaseWEP FlawsWEP AttackWEP: SolutionsWEP Solution – 802.11iWireless Security TechnologiesWPA Interim 802.11 SecurityWPA802.1X Authentication and EAPEAP Types Cisco LEAP TKIP (Temporal Key Integrity Protocol)
Page 13
EC-Councilhttp://www.eccouncil.org
Wireless Networks TestingWireless Communications TestingReport RecommendationsWireless Attack CountermeasuresWireless Penetration Testing with Windows Attacks And ToolsWar DrivingThe Jargon – WarChalking WarPumpkin Wireless: Tools of the TradeMapping with KismetWarDriving with NetStumblerHow NetStumbler Works?“Active” versus “Passive” WLAN Detection Disabling the BeaconRunning NetStumblerCaptured Data Using NetStumblerFiltering by ChannelsAirsnort WEPCrack Monkey-JackHow Monkey-Jack WorksBefore Monkey-JackAfter Monkey-JackAirCrack-ng How Does It Work?FMS and Korek AttacksCrack WEPAvailable OptionsUsage ExamplesCracking WPA/WPA2 PassphrasesNotesDetermining Network Topology: Network ViewWarDriving and Wireless Penetration Testing with OS XWhat is the Difference between “Active” and “Passive” Sniffi ng?Using a GPSAttacking WEP Encryption with KisMAC
Page
14
EC-Councilhttp://www.eccouncil.org
Deauthenticating ClientsAttacking WPA with KisMAC Brute-force Attacks Against 40-bit WEPWordlist AttacksMapping WarDrives with StumbVerter MITM Attack basicsMITM Attack DesignMITM Attack VariablesHardware for the Attack Antennas, Amps, WiFi CardsWireless Network CardsChoosing the Right AntennaAmplifying the Wireless SignalIdentify and Compromise the Target Access PointCompromising the TargetCrack the WEP keyAircrack-ng Cracked the WEP KeyThe MITM Attack Laptop Confi gurationIP Forwarding and NAT Using Iptables Installing Iptables and IP ForwardingEstablishing the NAT RulesDnsmasq Confi guring Dnsmasq Apache Web ServersVirtual DirectoriesClone the Target Access Point and Begin the AttackStart the Wireless InterfaceDeauthenticate Clients Connected to the Target Access PointWait for the Client to Associate to Your Access PointSpoof the ApplicationModify the PageExample PageLogin/php pageRedirect Web Traffi c Using Dnsmasq
Module 7: Designing a DMZIntroduction DMZ Concepts
Page 15
EC-Councilhttp://www.eccouncil.org
Multitiered Firewall With a DMZ Flow DMZ Design Fundamentals Advanced Design Strategies Designing Windows DMZ Designing Windows DMZ Precautions for DMZ Setup Security Analysis for the DMZ Designing Sun Solaris DMZPlacement of Servers Advanced Implementation of a Solaris DMZ Server Solaris DMZ Servers in a Conceptual Highly Available Confi guration Private and Public Network Firewall Ruleset DMA Server Firewall Ruleset Solaris DMZ System Design Disk Layout and Considerations Designing Wireless DMZPlacement of Wireless Equipment Access to DMZ and Authentication Considerations Wireless DMZ Components Wireless DMZ Using RADIUS to Authenticate Users WLAN DMZ Security Best-Practices DMZ Router Security Best-PracticeDMZ Switch Security Best-Practice Six Ways to Stop Data Leaks Reconnex
Module 8: Snort AnalysisSnort OverviewModes of OperationFeatures of Snort Confi guring SnortVariablesPreprocessorsOutput Plugins Rules Working of SnortInitializing Snort
Page
16
EC-Councilhttp://www.eccouncil.org
Signal HandlersParsing the Confi guration FileDecoding Possible DecodersPreprocessingDetectionContent MatchingContent-Matching FunctionsThe Stream4 PreprocessorInline FunctionalityWriting Snort RulesSnort Rule HeaderSnort Rule Header: Actions Snort Rule Header: Other FieldsIP Address Negation RuleIP Address FiltersPort NumbersDirection OperatorRule OptionsActivate/Dynamic RulesMeta-Data Rule Options: msg Reference Keywordsid/rev KeywordClasstype KeywordPayload Detection Rule Options: contentModifi er KeywordsOffset/depth KeywordUricontent keywordfragoffset keywordttl keywordid keywordfl ags keyworditype keyword : icmp idWriting Good Snort RulesSample Rule to Catch Metasploit Buffer Overfl ow ExploitTool for writing Snort rules: IDS Policy ManagerSubscribe to Snort Rules
Page 17
EC-Councilhttp://www.eccouncil.org
Honeynet Security Console ToolKey Features
Module 9: Log AnalysisIntroduction to LogsTypes of LogsEvents that Need to be LoggedWhat to Look Out For in LogsW3C Extended Log File FormatAutomated Log Analysis ApproachesLog ShippingAnalyzing Syslog SyslogSetting up a SyslogSyslog: Enabling Message LoggingMain Display WindowConfi guring Kiwi Syslog to Log to a MS SQL DatabaseConfi guring Ethereal to Capture Syslog MessagesSending Log Files via emailConfi guring Cisco Router for SyslogConfi guring DLink Router for SyslogConfi guring Cisco PIX for SyslogConfi guring an Intertex / Ingate/ PowerBit/ Surfi nBird ADSL routerConfi guring a LinkSys wireless VPN RouterConfi guring a Netgear ADSL Firewall RouterAnalyzing Web Server Logs Apache Web Server LogAWStatsConfi guring AWStats for IISLog Processing in AWStatsAnalyzing Router Logs Router LogsAnalyzing Wireless Network Devices Logs Wireless Traffi c Log Analyzing Windows Logs Confi guring Firewall Logs in Local Windows SystemViewing Local Windows Firewall Log
Page
18
EC-Councilhttp://www.eccouncil.org
Viewing Windows Event LogAAnalyzing Linux Logs iptables Log Prefi xing with iptablesFirewall Log Analysis with grepAnalyzing SQL Server Logs SQL Database LogApexSQL LogConfi guring ApexSQL Log Analyzing VPN Server Logs VPN Client LogAnalyzing Firewall Logs Why Firewall Logs are ImportantFirewall Log SampleManageEngine Firewall AnalyzerInstalling Firewall AnalyzerViewing Firewall Analyzer Reports Firewall Analyzer Log ReportsAnalyzing IDS Logs SnortALogIDS Log SampleAnalyzing DHCP Logs DHCP Log NTP Confi guration Time Synchronization and LoggingNTP OverviewNTP Client Confi gurationConfi guring an NTP client using the Client Manager Confi guring an NTP ServerNTP: Setting Local Date and TimeLog Analysis Tools All-Seeing Eye Tool: Event Log TrackerNetwork Sniffer Interface Test Tool Syslog Manager 2.0.1SawmillWALLWATCHERLog Alert Tools
Page 19
EC-Councilhttp://www.eccouncil.org
Network Eagle MonitorNetwork Eagle Monitor: FeaturesSQL Server Database Log NavigatorWhat Log Navigator does?How Does Log Navigator Work?SnortsnarfTypes of Snort AlarmsACID (Analysis Console for Intrusion Databases)
Module 10: Advanced Exploits and ToolsCommon Vulnerabilities Buffer Overfl ows RevisitedSmashing the Stack for Fun and Profi tSmashing the Heap for Fun and Profi tFormat Strings for Chaos and MayhemThe Anatomy of an ExploitVulnerable codeShellcoding Shellcode ExamplesDelivery CodeDelivery Code: ExampleLinux Exploits Versus WindowsWindows Versus Linux Tools of the Trade: DebuggersTools of the Trade: GDBTools of the Trade: MetasploitMetasploit Frame work User-Interface ModesMetasploit: EnvironmentEnvironment: Global Environment Environment: Temporary EnvironmentMetasploit: OptionsMetasploit: CommandsMetasploit: Launching the ExploitMetaSploit: Advanced FeaturesTools of the Trade: CanvasTools of the Trade: CORE Impact
Page
20
EC-Councilhttp://www.eccouncil.org
IMPACT Industrializes Penetration Testing Ways to Use CORE IMPACTOther IMPACT Benefi tsANATOMY OF A REAL-WORLD ATTACKCLIENT SIDE EXPLOITSImpact Demo Lab
Module 11: Penetration Testing Methodologies
Module 12: Customers and Legal Agreements
Module 13: Rules of Engagement
Module 14: Penetration Testing Planning and Scheduling
Module 15: Pre Penetration Testing Checklist
Module 16: Information Gathering
Module 17: Vulnerability Analysis
Module 18: External Penetration Testing
Module 19: Internal Network Penetration Testing
Module 20: Routers and Switches Penetration Testing
Module 21: Firewall Penetration Testing
Module 22: IDS Penetration Testing
Module 23: Wireless Network Penetration Testing
Module 24: Denial of Service Penetration Testing
Module 25: Password Cracking Penetration Testing
Page 21
EC-Councilhttp://www.eccouncil.org
Module 26: Social Engineering Penetration Testing
Module 27: Stolen Laptop, PDAs and Cell phones Penetration Testing
Module 28: Application Penetration Testing
Module 29: Physical Security Penetration Testing
Module 30: Database Penetration testing
Module 31: VoIP Penetration Testing
Module 32: VPN Penetration Testing
Module 33: War Dialing
Module 34: Virus and Trojan Detection
Module 35: Log Management Penetration Testing
Module 36: File Integrity Checking
Module 37: Blue Tooth and Hand held Device Penetration Testing
Module 38: Telecommunication and Broadband Communication Penetration Testing
Module 39: Email Security Penetration Testing
Module 40: Security Patches Penetration Testing
Module 41: Data Leakage Penetration Testing
Module 42: Penetration Testing Deliverables and Conclusion
Module 43: Penetration Testing Report and Documentation Writing
Module 44: Penetration Testing Report Analysis
Page
22
EC-Councilhttp://www.eccouncil.org
Module 45: Post Testing Actions
Module 46: Ethics of a Licensed Penetration Tester
Module 47: Standards and Compliance
Page 23
EC-Councilhttp://www.eccouncil.org
© 2007 EC-Council. All rights reserved. This document is for informational purposes only. EC-Council MAKES NO WARRANTIES, EX-PRESS OR IMPLIED, IN THIS SUMMARY. EC-Council logo is registered trademarks or trademarks of EC-Council in the United States and/or other countries.
