LinuxCBT.com

Syllabus

Focus: Reconnaissance and Network Mapping

Duration: 16-Hours

  • Reconnaissance Tools | Methods

    • Introduction - Topology - Features
      • Enumerate important Nmap features
      • Explore network topology
      • Identify key systems to be used
    •  
    • Nmap Installation
      • Identify target platforms
      • Import P/GPG signatures
      • Obtain sources and checksums
      • Confirm P/GPG signatures and checksums
      • Install Nmap on multiple platforms
    •  
    • Host Discovery
      • Discuss features and benefits
      • Evaluate various discovery methods
      • Survey topology
      • Identify targets
      • Compare & contrast findings
    •  
    • TCP | UDP Scans
      • Explore common scan techniques
      • Identify available services
      • Confirm Nmap findings
      • Tweak scans accordingly
      • Evaluate results
    •  
    • Operating System | Service Detection | Versioning
      • Discuss features and benefits
      • Identify available operating systems
      • Pinpoint interesting services
      • Define baseline scans
      • Evaluate results
    •  
    • ZenMap
      • Explore interface
      • Perform common scans
      • Compare & contrast findings
      • Evaluate on multiple platforms
    •  
    • Reporting | Compliance | ndiff
      • Highlight rationale
      • Generate usage reports
      • Detect toplogical changes
      • Compare results with 'ndiff'
      • Evaluate results
    •  
    • Nmap Scripting Engine (NSE)
      • Explore Nmap extensions
      • Discuss usage
      • Ascertain NSE-provided data from targets
      • Evaluate various NSE scripts
    •  
    • Timing | Performance
      • Explore timing | performance options
      • Tweak Nmap's responsiveness
      • Evaluate efficacy
    •  
    • Useful | Interactive Options
      • Evaluate miscellaneous Nmap options
      • Interact with Nmap scans accordingly
      • Evaluate results
    •  
    • NMap Version 6x
      • Obtain and Install from Sources
      • Upgrade on various systems
      • Identify key improvements
      • Perform scans and evaluate
      • Peruse ZenMap version 6x GUI
      • Contrast accordingly
      • Evaluate results
    •  
    • 'acccheck'
      • Discuss applicability
      • Find SMB Targets
      • Build sample profile files
      • Checks hosts for BLANK credentials
      • Change credentials for user
      • Confirm ability to connect
    •  
    • 'automater'
      • Discuss features
      • Query target domain for useful details
      • Query IP
      • Explore results
    •  
    • 'cisco-torch'
      • Discuss applicability
      • Scan network using all fingerprints
      • Search for specific protocols on devices
      • Log results
      • Search for useful SNMP details
    •  
    • 'dnsenum'
      • Discuss features
      • Enumerate target domain details
      • Brute-force scan target domain
      • Store located subdomains for reference
      • Expedite queries
    •  
    • 'dnsrecon'
      • Discuss features
      • Compare with 'dnsenum'
      • Find: SOA, NS, A, AAAA, TXT Records
      • Check if DNS server supports unauthorized AXFR
      • Query Google to enumerate unlisted subdomains
      • Perform Whois analysis to learn more about domain
      • Brute-force attack DNS server
      • Use different source list to attack DNS server
    •  
    • 'dnswalk'
      • Discuss features
      • Contrast with: 'dns(enum|recon)'
      • Query AXFR-disabled DNS server and Evaluate
      • Enable AXFR on internal DNS server and target
      • Fix errors disclosed by 'dnswalk' in DNS setup
      • Break DNS setup with bogus DNS server
      • Use: 'dnswalk' to query and discuss
    •  
    • 'hping3'
      • Discuss features
      • Contrast with 'ping', 'nmap', 'traceroute'
      • Basic TCP | ICMP usage
      • Generate various rates of packets and tweak
      • Quickly scan target ports
    •  
    • '0trace.sh'
      • Discuss applicability
      • Trace connection within broadcast domain
      • Connect to server multiple hops away
      • Generate packets and trace route to target
    •  
    • 'intrace'
      • Discuss features
      • Contrast with: '0trace.sh'
      • Generate local and remote connections
      • Trace routes between endpoints
      • Reverse trace route from server to endpoint
    •  
    • 'lbd'
      • Discuss features
      • Query various domains
      • Identify presence of load balancer
    •  
    • 'p0f'
      • Discuss features
      • Launch in promiscuous mode
      • Generate packets with 'hping3'
      • Analyze passively-detected system attributes
      • Vary input and examine new details
      • Apply BPF to target interesting node
      • Log output and daemonize
      • Explore captured data
    •  
    • 'masscan'
      • Discuss features
      • Generate ICMP and SSH scan
      • Scan network for hosts with target ports
      • Vary scan rate to expedite results-delivery
      • Grab banners from targets
      • Pause | Resume scans
      • Log output
    •  
    • 'sslyze'
      • Discuss features
      • Perform normal SSL scan of target
      • Review and discuss results
      • Scan targets for specific cipher suites
      • Contrast with 'nmap' scans
    •  
    • 'sslscan'
      • Discuss features
      • Compare with 'sslyze' and 'nmap'
      • Check targets for OCSP Stapling
      • Query RDP Windows host's SSL details
    •  
    • 'theharvester'
      • Discuss features
      • Find info from google about target domain
      • Search PGP database for listings
      • Check LinkedIn references to domain
      • Query various domains for outdated info
    •  
    • 'urlcrazy'
      • Discuss features
      • Discuss use-cases
      • Search for domain variants
      • Identify possible conflicts | squats
      • Search for market-confusing registrations
    •  
    • 'cewl'
      • Discuss features
      • Scrape target domain for interesting words
      • Reduce set to likely passwords
      • Extract e-mail addresses - if stored
      • Discuss benefits
    •  
    • 'recon-ng'
      • Discuss features
      • Explore common Global commands
      • Search for relevant modules
      • Brute-force domain suffix of target
      • PGP-search domain contacts
      • Search for Remote Access vectors @ target
    •  
    • NMap 7x
      • Discuss features
      • Perform Protocol Scans on Target
      • Traceroute to target
      • Display reason for port state
      • Execute in unprivileged mode
      • Trace packets between NMap and target
      • Generate various LOGs
      • Query Whois for public details
      • Check for HTTP vulnerabilities
      • Return useful SSL details
    •  
    • 'sparta' - Reconnaissance
      • Launch
      • Explore interface
      • Discuss features
      • Improve Session-Cookie security
      • Remove unwanted DocumentRoot entries
      • Explore other findings
    •  
    • 'netdiscover' - Reconnaissance
      • Disable L3 configuration
      • Passive reconnaissance
      • Targeted reconnaissance
      • Sniff ARP requests
      • Enable L3 configuration
    •  

LinuxCBT Recon Edition

  •  
DEMO