Hacking & Securing Windows - Course Content

1. Target Identification

  • External Queries
    - WHOIS, DIG, NSLOOKUP
  • Footprinting Tools
  • Web Enquiry Tools
  • Intelligence Gathering
    - Uncovering all the entry points
    - Bonus "free-entry" coupons
  • Scanning
    - Finding Machines
    - Ping Sweeps to Complex Scans
    - Command-line tools
    - Power Tools
    - Detailed port scanning
    - OS Identification
    - Service Enumeration
  • Deeper Probing
    - Identifying the best entry points
    - Discovering open doors
    - Banner Grabbing
    - Pinpointing weak defences

 

Lab Session: Developing an attack profile of one of our supplied targets, or even your own company.

2. Target Analysis

  • OS Fingerprinting - know exactly what you're dealing with. . . and select the appropriate hack
  • Version Identification
  • Advanced Scanning Tools
  • Routers and Network Appliances
    - Overlooked and Underestimated
    - Routing a Cisco
  • DSL and Cable gateways
    - Hackable by Default?
  • System Enumeration
    - Locking On The Target
    - Finding Users and Groups
    - Machines and Domains
    - Logins and Passwords
    - Security policies
    - Shares and more
  • Hack Tools by Microsoft
    - Tools supplied with the OS
    - Resource Kits or Hack kits?
  • Hack Tools by Others
  • NetBIOS Attacks
    - On the network wire, or Remotely
    - And even when "disabled"!
    - Get Domains, Hosts,
    - Get Accounts/Users and Groups
    - Get key intelligence
  • Searching for Power
    - Domain Controllers and especially BDCs
    - Web Servers
    - Database Servers
    - Less protected systems
  • Mapping Networks
  • Dirty DNS Tricks
  • Bill's Bodacious Gift
    - The NULL Session
    - Gets Shares, Users, Groups
    - Gets Policies, and Plenty More
  • Beating Account Lockout

 

Lab Session: Fully scoping our target network, gaining unauthorised entry, and attempting to take control.

3. Target Acquisition

  • Local Penetration
    - Using OS Doorways/bugs
    - Social Engineering
  • Entry By Local Exploit
    - Famous NT Attacks
    - NT, 2K and XP Attacks
    - Riding the debugger
    - Named Pipe predictability
    - Using privileged processes
    - Architectural flaws
    - Borrowing parent privs
  • Localising Remote Attacks
    - Targeting 127.0.0.1
    - An obvious new technique
  • Classic IIS Attacks
    - Directory Traversal
    - Buffer/heap Overflows
    - ISAPI Exploits
  • Taking Control of IIS
    - Directory Traversal
    - Uploading ASP pages
    - Executing Commands
    - Using tftp
  • IIS Destroyers
    - All-powerful SYSTEM access
    - Replacing IIS .DLLs
    - Buffer overflows
  • Other Servers
    - SSL Attacks
    - Exchange and SQL Exploits
  • On the Warpath
    - Enumerate, Sniff, Hijack
    - Scan and Grab
    - Identify and Target
    - Privilege Elevation
  • Attack Desktop Apps
    - Internet Explorer
    - Outlook and Office
  • Attacking Server Apps
    - IIS
    - SQL Server
    - Terminal Server
    - Exchange Server
  • Attacking Services
    - RPC/DCOM
    - LSASS
  • Social Engineering
  • Trojans and Traps
  • Firewalls
    - Tunneling Out from Inside
    - Shovelling Out
  • More Enumeration
    - SNMP and Active Directory
    - Using OS Doorways/bugs

 

Lab Session: Getting into local machines, and taking control of public Web servers.

4. Target Control

  • Getting an admin account
  • Escalating Privileges
    - Password Attacks in Detail
    - Exploits Revealed
  • Defeating Security Policies
    - Account Lockout
    - Auditing
  • Sneak Attacks
    - Insert a trojan
    - Insert a keylogger
    - Man-in-the-Middle attacks
  • Owning the Target
    - Get Admin
    - Get a command shell
    - Start loading
  • Uploading a Toolkit
    - Remote Control tools
    - Command-line control
    - Remote GUI control
  • Branching out into the network
  • Building Back Doors
  • Hiding Tools

 

Lab Session, Part 1: On the LAN. Take control of your victim, get Admin with exploits, get Admin by getting passwords. Load your root kit remotely

 

Lab Session, Part 2: Via the Internet, and through a firewall . . . get Admin, and load your Kit.

5. Attack Summarised

  • Attack Methodology
    - Footprint and Scan
    - Enumeration
    - Penetration
    - Privilege Escalation
    - Invasion
    - Branching Out
    - Covering Your Tracks
  • Attack Tools Review
    - Windows Tools
    - Resource Kits
    - Free Security and Attack Tools
    - Where to Get them
    - How to Use Them
  • Exploits
    - How to get in directly
    - Entry via IIS
    - Using SQL Server's power
    - Collecting Passwords
    - Application Attacks
  • Finding New Exploits
  • Take-away Attack Tools
    - Power exploits
    - Exploit Frameworks

 

Lab Session: War Games, Part 1. Delegates face their toughest challenge yet - trying to break into the speaker's precious laptop. This has proven to be one of the most popular and challenging sessions in the entire course.

6. Defence Detailed

  • Hardening Systems
    - Configuration Issues
  • Defence Strategy
    - Stop it getting in
    - Stop it succeeding
    - Stop it getting out
    - Detect it
  • Policy Lockdown
    - Microsoft guides
    - NSA Guides
    - Templates
  • System Lockdown
    - Remove built-in backdoors
    - OS Firewalling
  • Server Lockdown
    - Web Servers
    - Application Firewalls
    - Web Applications
    - SQL Servers
  • Remote and Mobile Systems
  • Attack Detection
    - HIDS, NIDS and monitors
  • Firewall Recommendations
  • Honeypots
  • Vendor Updates

 

Lab Session: War Games, Part 2. Delegates form teams to set up a fortified system each - and then set out to be first to crack the opposition.