CEHv12 Course Outline

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Course Outline
Ethical Hacking and Countermeasures

Course Outline
(Version 12)
Module 01: Introduction to Ethical Hacking

Information Security Overview
▪ Elements of Information Security
▪ Motives, Goals, and Objectives of Information Security Attacks
▪ Classification of Attacks
▪ Information Warfare
Hacking Methodologies and Frameworks
▪ CEH Hacking Methodology (CHM)
▪ Cyber Kill Chain Methodology
▪ Tactics, Techniques, and Procedures (TTPs)
▪ Adversary Behavioral Identification
▪ Indicators of Compromise (IoCs)
o Categories of Indicators of Compromise
▪ MITRE ATT&CK Framework
▪ Diamond Model of Intrusion Analysis
Hacking Concepts
▪ What is Hacking?
▪ Who is a Hacker?
▪ Hacker Classes
Page | 1 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Course Outline
Ethical Hacking Concepts

▪ What is Ethical Hacking?
▪ Why Ethical Hacking is Necessary
▪ Scope and Limitations of Ethical Hacking
▪ Skills of an Ethical Hacker
Information Security Controls
▪ Information Assurance (IA)
▪ Continual/Adaptive Security Strategy
▪ Defense-in-Depth
▪ What is Risk?
o Risk Management
▪ Cyber Threat Intelligence
o Threat Intelligence Lifecycle
▪ Threat Modeling
▪ Incident Management
o Incident Handling and Response
▪ Role of AI and ML in Cyber Security
o How Do AI and ML Prevent Cyber Attacks?
Information Security Laws and Standards
▪ Payment Card Industry Data Security Standard (PCI DSS)
▪ ISO/IEC 27001:2013
▪ Health Insurance Portability and Accountability Act (HIPAA)
▪ Sarbanes Oxley Act (SOX)
▪ The Digital Millennium Copyright Act (DMCA)
▪ The Federal Information Security Management Act (FISMA)
▪ General Data Protection Regulation (GDPR)
▪ Data Protection Act 2018 (DPA)
▪ Cyber Law in Different Countries

Course Outline
Module 02: Footprinting and Reconnaissance

Footprinting Concepts
▪ What is Footprinting?
▪ Information Obtained in Footprinting
▪ Footprinting Methodology
Footprinting through Search Engines
▪ Footprinting through Search Engines
▪ Footprint Using Advanced Google Hacking Techniques
▪ Google Hacking Database
▪ VPN Footprinting through Google Hacking Database
▪ Other Techniques for Footprinting through Search Engines
o Google Advanced Search
o Advanced Image Search
o Reverse Image Search
o Video Search Engines
o Meta Search Engines
o FTP Search Engines
o IoT Search Engines
Footprinting through Web Services
▪ Finding a Company’s Top-Level Domains (TLDs) and Sub-domains
▪ Finding the Geographical Location of the Target
▪ People Search on Social Networking Sites and People Search Services
▪ Gathering Information from LinkedIn
▪ Harvesting Email Lists
▪ Footprinting through Job Sites
▪ Deep and Dark Web Footprinting
▪ Determining the Operating System
▪ VoIP and VPN Footprinting through SHODAN
▪ Competitive Intelligence Gathering
▪ Other Techniques for Footprinting through Web Services
o Finding the Geographical Location of the Target

Course Outline
o Gathering Information from Financial Services

o Gathering Information from Business Profile Sites
o Monitoring Targets Using Alerts
o Tracking the Online Reputation of the Target
o Gathering Information from Groups, Forums, and Blogs
o Gathering Information from NNTP Usenet Newsgroups
o Gathering Information from Public Source-Code Repositories
Footprinting through Social Networking Sites
▪ Collecting Information through Social Engineering on Social Networking Sites
▪ General Resources for Locating Information from Social Media Sites
▪ Conducting Location Search on Social Media Sites
▪ Constructing and Analyzing Social Network Graphs
▪ Tools for Footprinting through Social Networking Sites
Website Footprinting
▪ Website Footprinting
▪ Website Footprinting using Web Spiders
▪ Mirroring Entire Website
▪ Extracting Website Information from https://archive.org
▪ Other Techniques for Website Footprinting
o Extracting Website Links
o Gathering the Wordlist from the Target Website
o Extracting Metadata of Public Documents
o Monitoring Web Pages for Updates and Changes
o Searching for Contact Information, Email Addresses, and Telephone Numbers from
Company Website
o Searching for Web Pages Posting Patterns and Revision Numbers
o Monitoring Website Traffic of the Target Company
Email Footprinting
▪ Tracking Email Communications
▪ Email Tracking Tools

Course Outline
Whois Footprinting
▪ Whois Lookup
▪ Finding IP Geolocation Information
DNS Footprinting
▪ Extracting DNS Information
▪ Reverse DNS Lookup
Network Footprinting
▪ Locate the Network Range
▪ Traceroute
▪ Traceroute Analysis
▪ Traceroute Tools
Footprinting through Social Engineering
▪ Footprinting through Social Engineering
▪ Collect Information Using Eavesdropping, Shoulder Surfing, Dumpster Diving, and
Impersonation
Footprinting Tools
▪ Footprinting Tools: Maltego and Recon-ng
▪ Footprinting Tools: FOCA and OSRFramework
▪ Footprinting Tools: OSINT Framework
▪ Footprinting Tools: Recon-Dog and BillCipher
▪ Footprinting Tools: Spyse
Footprinting Countermeasures
▪ Footprinting Countermeasures
Module 03: Scanning Networks

Network Scanning Concepts
▪ Overview of Network Scanning
▪ TCP Communication Flags
▪ TCP/IP Communication
Scanning Tools
▪ Scanning Tools: Nmap

Course Outline
▪ Scanning Tools: Hping3

o Hping Commands
▪ Scanning Tools
▪ Scanning Tools for Mobile
Host Discovery
▪ Host Discovery Techniques
o ARP Ping Scan
o UDP Ping Scan
o ICMP ECHO Ping Scan
o ICMP ECHO Ping Sweep
o ICMP Timestamp Ping Scan
o ICMP Address Mask Ping Scan
o TCP SYN Ping Scan
o TCP ACK Ping Scan
o IP Protocol Ping Scan
o Ping Sweep Tools
Port and Service Discovery
▪ Port Scanning Techniques
o TCP Scanning
• TCP Connect/Full Open Scan
• Stealth Scan (Half-open Scan)
• Inverse TCP Flag Scan
✓ Xmas Scan
✓ FIN Scan
✓ NULL Scan
✓ TCP Maimon Scan
• ACK Flag Probe Scan
✓ TTL-Based Scan
✓ Window-Based Scan
• IDLE/IPID Header Scan
o UDP Scan

Course Outline
o SCTP INIT Scan

o SCTP COOKIE ECHO Scan
o SSDP and List Scan
o IPv6 Scan
▪ Service Version Discovery
▪ Nmap Scan Time Reduction Techniques
OS Discovery (Banner Grabbing/OS Fingerprinting)
▪ OS Discovery/Banner Grabbing
▪ How to Identify Target System OS
o OS Discovery using Wireshark
o OS Discovery using Nmap and Unicornscan
o OS Discovery using Nmap Script Engine
o OS Discovery using IPv6 Fingerprinting
Scanning Beyond IDS and Firewall
▪ IDS/Firewall Evasion Techniques
o Packet Fragmentation
o Source Routing
o Source Port Manipulation
o IP Address Decoy
o IP Address Spoofing
o MAC Address Spoofing
o Creating Custom Packets
o Randomizing Host Order and Sending Bad Checksums
o Proxy Servers
• Proxy Chaining
• Proxy Tools
• Proxy Tools for Mobile
o Anonymizers
• Censorship Circumvention Tools: Alkasir and Tails
Network Scanning Countermeasures
▪ Ping Sweep Countermeasures

Course Outline
▪ Port Scanning Countermeasures

▪ Banner Grabbing Countermeasures
▪ IP Spoofing Detection Techniques
o Direct TTL Probes
o IP Identification Number
o TCP Flow Control Method
▪ IP Spoofing Countermeasures
▪ Scanning Detection and Prevention Tools
Module 04: Enumeration

Enumeration Concepts
▪ What is Enumeration?
▪ Techniques for Enumeration
▪ Services and Ports to Enumerate
NetBIOS Enumeration
▪ NetBIOS Enumeration
▪ NetBIOS Enumeration Tools
▪ Enumerating User Accounts
▪ Enumerating Shared Resources Using Net View
SNMP Enumeration
▪ SNMP (Simple Network Management Protocol) Enumeration
▪ Working of SNMP
▪ Management Information Base (MIB)
▪ Enumerating SNMP using SnmpWalk
▪ Enumerating SNMP using Nmap
▪ SNMP Enumeration Tools
LDAP Enumeration
▪ LDAP Enumeration
▪ Manual and Automated LDAP Enumeration
▪ LDAP Enumeration Tools

Course Outline
NTP and NFS Enumeration

▪ NTP Enumeration
▪ NTP Enumeration Commands
▪ NTP Enumeration Tools
▪ NFS Enumeration
▪ NFS Enumeration Tools
SMTP and DNS Enumeration
▪ SMTP Enumeration
▪ SMTP Enumeration using Nmap
▪ SMTP Enumeration using Metasploit
▪ SMTP Enumeration Tools
▪ DNS Enumeration Using Zone Transfer
▪ DNS Cache Snooping
▪ DNSSEC Zone Walking
▪ DNS and DNSSEC Enumeration using Nmap
Other Enumeration Techniques
▪ IPsec Enumeration
▪ VoIP Enumeration
▪ RPC Enumeration
▪ Unix/Linux User Enumeration
▪ Telnet and SMB Enumeration
▪ FTP and TFTP Enumeration
▪ IPv6 Enumeration
▪ BGP Enumeration
Enumeration Countermeasures
▪ Enumeration Countermeasures
▪ DNS Enumeration Countermeasures
Module 05: Vulnerability Analysis

Vulnerability Assessment Concepts
▪ What is Vulnerability?

Course Outline
o Examples of Vulnerabilities
▪ Vulnerability Research
▪ Resources for Vulnerability Research
▪ What is Vulnerability Assessment?
▪ Vulnerability Scoring Systems and Databases
▪ Vulnerability-Management Life Cycle
o Pre-Assessment Phase
o Vulnerability Assessment Phase
o Post Assessment Phase
Vulnerability Classification and Assessment Types
▪ Vulnerability Classification
o Misconfigurations/Weak Configurations
o Application Flaws
o Poor Patch Management
o Design Flaws
o Third-Party Risks
o Default Installations/Default Configurations
o Operating System Flaws
o Default Passwords
o Zero-Day Vulnerabilities
o Legacy Platform Vulnerabilities
o System Sprawl/Undocumented Assets
o Improper Certificate and Key Management
▪ Types of Vulnerability Assessment
Vulnerability Assessment Tools
▪ Comparing Approaches to Vulnerability Assessment
▪ Characteristics of a Good Vulnerability Assessment Solution
▪ Working of Vulnerability Scanning Solutions
▪ Types of Vulnerability Assessment Tools
▪ Choosing a Vulnerability Assessment Tool
▪ Criteria for Choosing a Vulnerability Assessment Tool

Course Outline
▪ Best Practices for Selecting Vulnerability Assessment Tools

▪ Vulnerability Assessment Tools: Qualys Vulnerability Management
▪ Vulnerability Assessment Tools: Nessus Professional and GFI LanGuard
▪ Vulnerability Assessment Tools: OpenVAS and Nikto
▪ Other Vulnerability Assessment Tools
▪ Vulnerability Assessment Tools for Mobile
Vulnerability Assessment Reports
▪ Vulnerability Assessment Reports
▪ Components of a Vulnerability Assessment Report
Module 06: System Hacking

Gaining Access
▪ Cracking Passwords
o Microsoft Authentication
o How Hash Passwords Are Stored in Windows SAM?
o NTLM Authentication Process
o Kerberos Authentication
o Password Cracking
o Types of Password Attacks
• Non-Electronic Attacks
• Active Online Attacks
✓ Dictionary, Brute-Force, and Rule-based Attack
✓ Password Spraying Attack and Mask Attack
✓ Password Guessing
✓ Default Passwords
✓ Trojans/Spyware/Keyloggers
✓ Hash Injection/Pass-the-Hash (PtH) Attack
✓ LLMNR/NBT-NS Poisoning
✓ Internal Monologue Attack
✓ Cracking Kerberos Password
✓ Pass the Ticket Attack

Course Outline
✓ Other Active Online Attacks

• Passive Online Attacks
✓ Wire Sniffing
✓ Man-in-the-Middle/Manipulator-in-the-Middle and Replay Attacks
• Offline Attacks
✓ Rainbow Table Attack
✓ Distributed Network Attack
o Password Recovery Tools
o Tools to Extract the Password Hashes
o Password Cracking using Domain Password Audit Tool (DPAT)
o Password-Cracking Tools: L0phtCrack and ophcrack
o Password-Cracking Tools
o Password Salting
o How to Defend against Password Cracking
o How to Defend against LLMNR/NBT-NS Poisoning
o Tools to Detect LLMNR/NBT-NS Poisoning
▪ Vulnerability Exploitation
o Exploit Sites
o Buffer Overflow
• Types of Buffer Overflow: Stack-Based Buffer Overflow
• Types of Buffer Overflow: Heap-Based Buffer Overflow
• Simple Buffer Overflow in C
• Windows Buffer Overflow Exploitation
o Return-Oriented Programming (ROP) Attack
o Exploit Chaining
o Active Directory Enumeration Using PowerView
o Domain Mapping and Exploitation with Bloodhound
o Identifying Insecurities Using GhostPack Seatbelt
o Buffer Overflow Detection Tools
o Defending against Buffer Overflows

Course Outline
Escalating Privileges
▪ Privilege Escalation
▪ Privilege Escalation Using DLL Hijacking
▪ Privilege Escalation by Exploiting Vulnerabilities
▪ Privilege Escalation Using Dylib Hijacking
▪ Privilege Escalation Using Spectre and Meltdown Vulnerabilities
▪ Privilege Escalation Using Named Pipe Impersonation
▪ Privilege Escalation by Exploiting Misconfigured Services
▪ Pivoting and Relaying to Hack External Machines
▪ Privilege Escalation Using Misconfigured NFS
▪ Privilege Escalation Using Windows Sticky Keys
▪ Privilege Escalation by Bypassing User Account Control (UAC)
▪ Privilege Escalation by Abusing Boot or Logon Initialization Scripts
▪ Privilege Escalation by Modifying Domain Policy
▪ Retrieving Password Hashes of Other Domain Controllers Using DCSync Attack
▪ Other Privilege Escalation Techniques
o Access Token Manipulation
o Parent PID Spoofing
o Application Shimming
o Filesystem Permission Weakness
o Path Interception
o Abusing Accessibility Features
o SID-History Injection
o COM Hijacking
o Scheduled Tasks in Windows
o Scheduled Tasks in Linux
o Launch Daemon
o Plist Modification
o Setuid and Setgid
o Web Shell
o Abusing Sudo Rights

Course Outline
o Abusing SUID and SGID Permissions

o Kernel Exploits
▪ Privilege Escalation Tools
▪ How to Defend Against Privilege Escalation
o Tools for Defending against DLL and Dylib Hijacking
o Defending against Spectre and Meltdown Vulnerabilities
o Tools for Detecting Spectre and Meltdown Vulnerabilities
Maintaining Access
▪ Executing Applications
o Remote Code Execution Techniques
• Tools for Executing Applications
o Keylogger
• Types of Keystroke Loggers
• Remote Keylogger Attack Using Metasploit
• Hardware Keyloggers
• Keyloggers for Windows
• Keyloggers for macOS
o Spyware
• Spyware Tools: Spytech SpyAgent and Power Spy
• Spyware Tools
o How to Defend Against Keyloggers
• Anti-Keyloggers
o How to Defend Against Spyware
• Anti-Spyware
▪ Hiding Files
o Rootkits
• Types of Rootkits
• How a Rootkit Works
• Popular Rootkits
✓ Purple Fox Rootkit
✓ MoonBounce
Course Outline
✓ Dubbed Demodex Rootkit

• Detecting Rootkits
• Steps for Detecting Rootkits
• How to Defend against Rootkits
• Anti-Rootkits
o NTFS Data Stream
• How to Create NTFS Streams
• NTFS Stream Manipulation
• How to Defend against NTFS Streams
• NTFS Stream Detectors
o What is Steganography?
• Classification of Steganography
• Types of Steganography based on Cover Medium
✓ Whitespace Steganography
✓ Image Steganography
➢ Image Steganography Tools
✓ Document Steganography
✓ Video Steganography
✓ Audio Steganography
✓ Folder Steganography
✓ Spam/Email Steganography
✓ Other Types of Steganography
• Steganography Tools for Mobile Phones
• Steganalysis
• Steganalysis Methods/Attacks on Steganography
• Detecting Steganography (Text, Image, Audio, and Video Files)
• Steganography Detection Tools
▪ Establishing Persistence
o Maintaining Persistence by Abusing Boot or Logon Autostart Executions
o Domain Dominance through Different Paths
• Remote Code Execution
Course Outline
• Abusing DPAPI
• Malicious Replication
• Skeleton Key Attack
• Golden Ticket Attack
• Silver Ticket Attack
o Maintain Domain Persistence Through AdminSDHolder
o Maintaining Persistence Through WMI Event Subscription
o Overpass-the-Hash Attack
o Linux Post Exploitation
o Windows Post Exploitation
o How to Defend against Persistence Attacks
Clearing Logs
▪ Covering Tracks
▪ Disabling Auditing: Auditpol
▪ Clearing Logs
▪ Manually Clearing Event Logs
▪ Ways to Clear Online Tracks
▪ Covering BASH Shell Tracks
▪ Covering Tracks on a Network
▪ Covering Tracks on an OS
▪ Delete Files using Cipher.exe
▪ Disable Windows Functionality
▪ Hiding Artifacts in Windows, Linux, and macOS
▪ Track-Covering Tools
▪ Defending against Covering Tracks
Module 07: Malware Threats

Malware Concepts
▪ Introduction to Malware
▪ Different Ways for Malware to Enter a System
▪ Common Techniques Attackers Use to Distribute Malware on the Web

Course Outline
▪ Components of Malware
▪ Potentially Unwanted Application or Applications (PUAs)
o Adware
APT Concepts
▪ What are Advanced Persistent Threats?
▪ Characteristics of Advanced Persistent Threats
▪ Advanced Persistent Threat Lifecycle
Trojan Concepts
▪ What is a Trojan?
▪ How Hackers Use Trojans
▪ Common Ports used by Trojans
▪ Types of Trojans
o Remote Access Trojans
o Backdoor Trojans
o Botnet Trojans
o Rootkit Trojans
o E-banking Trojans
• Working of E-banking Trojans
• E-banking Trojan: Dreambot
o Point-of-Sale Trojans
o Defacement Trojans
o Service Protocol Trojans
o Mobile Trojans
o IoT Trojans
o Security Software Disabler Trojans
o Destructive Trojans
o DDoS Trojans
o Command Shell Trojans
▪ How to Infect Systems Using a Trojan
o Creating a Trojan
o Employing a Dropper or Downloader

Course Outline
o Employing a Wrapper
o Employing a Crypter
o Propagating and Deploying a Trojan
o Exploit Kits
Virus and Worm Concepts
▪ Introduction to Viruses
▪ Stages of Virus Lifecycle
▪ Working of Viruses
o How does a Computer Get Infected by Viruses?
▪ Types of Viruses
o System or Boot Sector Viruses
o File Viruses
o Multipartite Viruses
o Macro Viruses
o Cluster Viruses
o Stealth Viruses/Tunneling Viruses
o Encryption Viruses
o Sparse Infector Viruses
o Polymorphic Viruses
o Metamorphic Viruses
o Overwriting File or Cavity Viruses
o Companion/Camouflage Viruses
o Shell Viruses
o File Extension Viruses
o FAT Viruses
o Logic Bomb Viruses
o Web Scripting Virus
o E-mail Viruses
o Armored Viruses
o Add-on Viruses
o Intrusive Viruses

Course Outline
o Direct Action or Transient Viruses

o Terminate and Stay Resident (TSR) Viruses
o Ransomware
• BlackCat
• BlackMatter
▪ How to Infect Systems Using a Virus: Creating a Virus
▪ How to Infect Systems Using a Virus: Propagating and Deploying a Virus
▪ Computer Worms
o Worm Makers
Fileless Malware Concepts
▪ What is Fileless Malware?
▪ Taxonomy of Fileless Malware Threats
▪ How does Fileless Malware Work?
▪ Launching Fileless Malware through Document Exploits and In-Memory Exploits
▪ Launching Fileless Malware through Script-based Injection
▪ Launching Fileless Malware by Exploiting System Admin Tools
▪ Launching Fileless Malware through Phishing
▪ Maintaining Persistence with Fileless Techniques
▪ Fileless Malware
o LemonDuck
▪ Fileless Malware Obfuscation Techniques to Bypass Antivirus
Malware Analysis
▪ What is Sheep Dip Computer?
▪ Antivirus Sensor Systems
▪ Introduction to Malware Analysis
▪ Malware Analysis Procedure: Preparing Testbed
▪ Static Malware Analysis
o File Fingerprinting
o Local and Online Malware Scanning
o Performing Strings Search
o Identifying Packing/Obfuscation Methods

Course Outline
• Identifying Packing/Obfuscation Method of ELF Malware

o Finding the Portable Executables (PE) Information
o Identifying File Dependencies
o Malware Disassembly
o Analyzing ELF Executable Files
o Analyzing Mach Object (Mach-O) Executable Files
o Analyzing Malicious MS Office Documents
• Finding Suspicious Components
• Finding Macro Streams
• Dumping Macro Streams
• Identifying Suspicious VBA Keywords
▪ Dynamic Malware Analysis
o Port Monitoring
o Process Monitoring
o Registry Monitoring
o Windows Services Monitoring
o Startup Programs Monitoring
o Event Logs Monitoring/Analysis
o Installation Monitoring
o Files and Folders Monitoring
o Device Drivers Monitoring
o Network Traffic Monitoring/Analysis
o DNS Monitoring/Resolution
o API Calls Monitoring
o System Calls Monitoring
▪ Virus Detection Methods
▪ Trojan Analysis: ElectroRAT
o ElectroRAT Malware Attack Phases
• Initial propagation and Infection
• Deploying Malware
• Exploitation

Course Outline
• Maintaining Persistence
▪ Virus Analysis: REvil Ransomware
o REvil Ransomware Attack Stages
• Initial Access
• Download and Execution
• Exploitation
• Lateral Movement / Defense Evasion and Discovery
• Credential Access and Exfiltration / Command and Control
▪ Fileless Malware Analysis: SockDetour
o SockDetour Fileless Malware Attack Stages
• Pre-exploitation
• Initial infection
• Exploitation
• Post-exploitation
✓ Client Authentication and C2 Communication After Exploitation
✓ Plugin Loading Feature
Malware Countermeasures
▪ Trojan Countermeasures
▪ Backdoor Countermeasures
▪ Virus and Worm Countermeasures
▪ Fileless Malware Countermeasures
Anti-Malware Software
▪ Anti-Trojan Software
▪ Antivirus Software
▪ Fileless Malware Detection Tools
▪ Fileless Malware Protection Tools
Module 08: Sniffing

Sniffing Concepts
▪ Network Sniffing
▪ Types of Sniffing
Course Outline
▪ How an Attacker Hacks the Network Using Sniffers

▪ Protocols Vulnerable to Sniffing
▪ Sniffing in the Data Link Layer of the OSI Model
▪ Hardware Protocol Analyzers
▪ SPAN Port
▪ Wiretapping
▪ Lawful Interception
Sniffing Technique: MAC Attacks
▪ MAC Address/CAM Table
▪ How CAM Works
▪ What Happens When a CAM Table Is Full?
▪ MAC Flooding
▪ Switch Port Stealing
▪ How to Defend against MAC Attacks
Sniffing Technique: DHCP Attacks
▪ How DHCP Works
▪ DHCP Request/Reply Messages
▪ DHCP Starvation Attack
▪ Rogue DHCP Server Attack
▪ How to Defend Against DHCP Starvation and Rogue Server Attacks
o MAC Limiting Configuration on Juniper Switches
o Configuring DHCP Filtering on a Switch
Sniffing Technique: ARP Poisoning
▪ What Is Address Resolution Protocol (ARP)?
▪ ARP Spoofing Attack
▪ Threats of ARP Poisoning
▪ ARP Poisoning Tools
▪ How to Defend Against ARP Poisoning
▪ Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches
▪ ARP Spoofing Detection Tools

Course Outline
Sniffing Technique: Spoofing Attacks

▪ MAC Spoofing/Duplicating
▪ MAC Spoofing Technique: Windows
▪ MAC Spoofing Tools
▪ IRDP Spoofing
▪ VLAN Hopping
▪ STP Attack
▪ How to Defend Against MAC Spoofing
▪ How to Defend Against VLAN Hopping
▪ How to Defend Against STP Attacks
Sniffing Technique: DNS Poisoning
▪ DNS Poisoning Techniques
o Intranet DNS Spoofing
o Internet DNS Spoofing
o Proxy Server DNS Poisoning
o DNS Cache Poisoning
• SAD DNS Attack
▪ DNS Poisoning Tools
▪ How to Defend Against DNS Spoofing
Sniffing Tools
▪ Sniffing Tool: Wireshark
o Follow TCP Stream in Wireshark
o Display Filters in Wireshark
o Additional Wireshark Filters
▪ Sniffing Tools
o RITA (Real Intelligence Threat Analytics)
▪ Packet Sniffing Tools for Mobile Phones
Sniffing Countermeasures
▪ How to Defend Against Sniffing
▪ How to Detect Sniffing
▪ Sniffer Detection Techniques

Course Outline
o Ping Method
o DNS Method
o ARP Method
▪ Promiscuous Detection Tools
Module 09: Social Engineering

Social Engineering Concepts
▪ What is Social Engineering?
▪ Phases of a Social Engineering Attack
Social Engineering Techniques
▪ Types of Social Engineering
▪ Human-based Social Engineering
o Impersonation
o Impersonation (Vishing)
o Eavesdropping
o Shoulder Surfing
o Dumpster Diving
o Reverse Social Engineering
o Piggybacking
o Tailgating
o Diversion Theft
o Honey Trap
o Baiting
o Quid Pro Quo
o Elicitation
▪ Computer-based Social Engineering
o Phishing
• Examples of Phishing Emails
• Types of Phishing
✓ Spear Phishing
✓ Whaling

Course Outline
✓ Pharming
✓ Spimming
✓ Angler Phishing
✓ Catfishing Attack
✓ Deepfake Attacks
• Phishing Tools
▪ Mobile-based Social Engineering
o Publishing Malicious Apps
o Repackaging Legitimate Apps
o Fake Security Applications
o SMiShing (SMS Phishing)
Insider Threats
▪ Insider Threats/Insider Attacks
▪ Types of Insider Threats
▪ Behavioral Indications of an Insider Threat
Impersonation on Social Networking Sites
▪ Social Engineering through Impersonation on Social Networking Sites
▪ Impersonation on Facebook
▪ Social Networking Threats to Corporate Networks
Identity Theft
▪ Identity Theft
Social Engineering Countermeasures
▪ Social Engineering Countermeasures
▪ How to Defend against Phishing Attacks?
▪ Detecting Insider Threats
▪ Insider Threats Countermeasures
▪ Identity Theft Countermeasures
▪ How to Detect Phishing Emails?
▪ Anti-Phishing Toolbar
▪ Common Social Engineering Targets and Defense Strategies
▪ Social Engineering Tools

Course Outline
▪ Audit Organization's Security for Phishing Attacks using OhPhish
Module 10: Denial-of-Service

DoS/DDoS Concepts
▪ What is a DoS Attack?
▪ What is a DDoS Attack?
Botnets
▪ Organized Cyber Crime: Organizational Chart
▪ Botnets
▪ A Typical Botnet Setup
▪ Botnet Ecosystem
▪ Scanning Methods for Finding Vulnerable Machines
▪ How Does Malicious Code Propagate?
DoS/DDoS Attack Techniques
▪ Basic Categories of DoS/DDoS Attack Vectors
o Volumetric Attacks
• UDP Flood Attack
• ICMP Flood Attack
• Ping of Death and Smurf Attacks
• Pulse Wave and Zero-Day DDoS Attacks
o Protocol Attacks
• SYN Flood Attack
• Fragmentation Attack
• Spoofed Session Flood Attack
o Application Layer Attacks
• HTTP GET/POST and Slowloris Attacks
• UDP Application Layer Flood Attack
▪ Multi-Vector Attack
▪ Peer-to-Peer Attack
▪ Permanent Denial-of-Service Attack
▪ TCP SACK Panic
Course Outline
▪ Distributed Reflection Denial-of-Service (DRDoS) Attack

▪ DDoS Extortion/Ransom DDoS (RDDoS) Attack
▪ DoS/DDoS Attack Tools
▪ DoS and DDoS Attack Tools for Mobiles
DDoS Case Study
▪ DDoS Attack
▪ Hackers Advertise Links for Downloading Botnets
▪ Use of Mobile Devices as Botnets for Launching DDoS Attacks
▪ DDoS Case Study: DDoS Attack on Microsoft Azure
DoS/DDoS Attack Countermeasures
▪ Detection Techniques
▪ DoS/DDoS Countermeasure Strategies
▪ DDoS Attack Countermeasures
o Protect Secondary Victims
o Detect and Neutralize Handlers
o Prevent Potential Attacks
o Deflect Attacks
o Mitigate Attacks
o Post-Attack Forensics
▪ Techniques to Defend against Botnets
▪ Additional DoS/DDoS Countermeasures
▪ DoS/DDoS Protection at ISP Level
▪ Enabling TCP Intercept on Cisco IOS Software
▪ Advanced DDoS Protection Appliances
▪ DoS/DDoS Protection Tools
▪ DoS/DDoS Protection Services
Module 11: Session Hijacking

Session Hijacking Concepts
▪ What is Session Hijacking?
▪ Why is Session Hijacking Successful?

Course Outline
▪ Session Hijacking Process

▪ Packet Analysis of a Local Session Hijack
▪ Types of Session Hijacking
▪ Session Hijacking in OSI Model
▪ Spoofing vs. Hijacking
Application-Level Session Hijacking
▪ Application-Level Session Hijacking
▪ Compromising Session IDs using Sniffing and by Predicting Session Token
o How to Predict a Session Token
▪ Compromising Session IDs Using Man-in-the-Middle/Manipulator-in-the-Middle Attack
▪ Compromising Session IDs Using Man-in-the-Browser/Manipulator-in-the-Browser
Attack
o Steps to Perform Man-in-the-Browser Attack
▪ Compromising Session IDs Using Client-side Attacks
▪ Compromising Session IDs Using Client-side Attacks: Cross-site Script Attack
▪ Compromising Session IDs Using Client-side Attacks: Cross-site Request Forgery Attack
▪ Compromising Session IDs Using Session Replay Attacks
▪ Compromising Session IDs Using Session Fixation
▪ Session Hijacking Using Proxy Servers
▪ Session Hijacking Using CRIME Attack
▪ Session Hijacking Using Forbidden Attack
▪ Session Hijacking Using Session Donation Attack
▪ PetitPotam Hijacking
Network-Level Session Hijacking
▪ Network Level Session Hijacking
▪ TCP/IP Hijacking
▪ IP Spoofing: Source Routed Packets
▪ RST Hijacking
▪ Blind and UDP Hijacking
▪ MiTM Attack Using Forged ICMP and ARP Spoofing

Course Outline
Session Hijacking Tools

▪ Session Hijacking Tools
▪ Session Hijacking Tools for Mobile Phones
Session Hijacking Countermeasures
▪ Session Hijacking Detection Methods
▪ Protecting against Session Hijacking
▪ Web Development Guidelines to Prevent Session Hijacking
▪ Web User Guidelines to Prevent Session Hijacking
▪ Session Hijacking Detection Tools
▪ Approaches Causing Vulnerability to Session Hijacking and their Preventative Solutions
▪ Approaches to Prevent Session Hijacking
o HTTP Referrer Header
▪ Approaches to Prevent MITM Attacks
o DNS over HTTPS
o Password Manager
o Zero-trust Principles
▪ IPsec
o IPsec Authentication and Confidentiality
▪ Session Hijacking Prevention Tools
Module 12: Evading IDS, Firewalls, and Honeypots

IDS, IPS, Firewall, and Honeypot Concepts
▪ Intrusion Detection System (IDS)
o How an IDS Detects an Intrusion?
o General Indications of Intrusions
o Types of Intrusion Detection Systems
o Types of IDS Alerts
▪ Intrusion Prevention System (IPS)
▪ Firewall
o Firewall Architecture
o Demilitarized Zone (DMZ)

Course Outline
o Types of Firewalls
o Firewall Technologies
• Packet Filtering Firewall
• Circuit-Level Gateway Firewall
• Application-Level Firewall
• Stateful Multilayer Inspection Firewall
• Application Proxy
• Network Address Translation (NAT)
• Virtual Private Network
o Firewall Limitations
▪ Honeypot
o Types of Honeypots
IDS, IPS, Firewall, and Honeypot Solutions
▪ Intrusion Detection using YARA Rules
▪ Intrusion Detection Tools
o Snort
• Snort Rules
• Snort Rules: Rule Actions and IP Protocols
• Snort Rules: The Direction Operator and IP Addresses
• Snort Rules: Port Numbers
• Intrusion Detection Tools
o Intrusion Detection Tools for Mobile Devices
▪ Intrusion Prevention Tools
▪ Firewalls
o Firewalls for Mobile Devices
▪ Honeypot Tools
Evading IDS
▪ IDS Evasion Techniques
o Insertion Attack
o Evasion
o Denial-of-Service Attack (DoS)

Course Outline
o Obfuscating
o False Positive Generation
o Session Splicing
o Unicode Evasion Technique
o Fragmentation Attack
o Overlapping Fragments
o Time-To-Live Attacks
o Invalid RST Packets
o Urgency Flag
o Polymorphic Shellcode
o ASCII Shellcode
o Application-Layer Attacks
o Desynchronization
o Other Types of Evasion
Evading Firewalls
▪ Firewall Evasion Techniques
o Firewall Identification
o IP Address Spoofing
o Source Routing
o Tiny Fragments
o Bypass Blocked Sites Using an IP Address in Place of a URL
o Bypass Blocked Sites Using Anonymous Website Surfing Sites
o Bypass a Firewall Using a Proxy Server
o Bypassing Firewalls through the ICMP Tunneling Method
o Bypassing Firewalls through the ACK Tunneling Method
o Bypassing Firewalls through the HTTP Tunneling Method
• Why do I Need HTTP Tunneling?
• HTTP Tunneling Tools
o Bypassing Firewalls through the SSH Tunneling Method
• SSH Tunneling Tools: Bitvise and Secure Pipes
o Bypassing Firewalls through the DNS Tunneling Method

Course Outline
o Bypassing Firewalls through External Systems

o Bypassing Firewalls through MITM Attacks
o Bypassing Firewalls through Content
o Bypassing the WAF using an XSS Attack
o Other Techniques for Bypassing WAF
• Using HTTP Header Spoofing
• Using Blacklist Detection
• Using Fuzzing/Bruteforcing
• Abusing SSL/TLS ciphers
o Bypassing Firewalls through HTML Smuggling
o Bypassing Firewalls through Windows BITS
Evading NAC and Endpoint Security
▪ Bypassing NAC using VLAN Hopping
▪ Bypassing NAC using Pre-authenticated Device
▪ Bypassing Endpoint Security using Ghostwriting
▪ Bypassing Endpoint Security using Application Whitelisting
▪ Bypassing Endpoint Security using XLM Weaponization
▪ Bypassing Endpoint Security by Dechaining Macros
▪ Bypassing Endpoint Security by Clearing Memory Hooks
▪ Bypassing Antivirus using Metasploit Templates
▪ Bypassing Symantec Endpoint Protection
▪ Other Techniques for Bypassing Endpoint Security
o Hosting Phishing Sites
o Passing Encoded Commands
o Fast Flux DNS Method
o Timing-based Evasion
o Signed Binary Proxy Execution
IDS/Firewall Evading Tools
▪ IDS/Firewall Evading Tools
▪ Packet Fragment Generator Tools

Course Outline
Detecting Honeypots
▪ Detecting Honeypots
o Detecting and Defeating Honeypots
▪ Honeypot Detection Tools: Send-Safe Honeypot Hunter
IDS/Firewall Evasion Countermeasures
▪ How to Defend Against IDS Evasion
▪ How to Defend Against Firewall Evasion
Module 13: Hacking Web Servers

Web Server Concepts
▪ Web Server Operations
▪ Web Server Security Issues
▪ Why are Web Servers Compromised?
Web Server Attacks
▪ DNS Server Hijacking
▪ DNS Amplification Attack
▪ Directory Traversal Attacks
▪ Website Defacement
▪ Web Server Misconfiguration
▪ HTTP Response-Splitting Attack
▪ Web Cache Poisoning Attack
▪ SSH Brute Force Attack
▪ Web Server Password Cracking
▪ Other Web Server Attacks
o DoS/DDoS Attacks
o Man-in-the-Middle Attack
o Phishing Attacks
o Web Application Attacks
Web Server Attack Methodology
▪ Information Gathering
o Information Gathering from Robots.txt File

Course Outline
▪ Web Server Footprinting/Banner Grabbing

o Web Server Footprinting Tools
o Enumerating Web Server Information Using Nmap
▪ Website Mirroring
o Finding Default Credentials of Web Server
o Finding Default Content of Web Server
o Finding Directory Listings of Web Server
▪ Vulnerability Scanning
o Finding Exploitable Vulnerabilities
▪ Session Hijacking
▪ Web Server Password Hacking
▪ Using Application Server as a Proxy
▪ Web Server Attack Tools
o Metasploit
• Metasploit Exploit Module
• Metasploit Payload and Auxiliary Modules
• Metasploit NOPS Module
o Web Server Attack Tools
Web Server Attack Countermeasures
▪ Place Web Servers in Separate Secure Server Security Segment on Network
▪ Countermeasures: Patches and Updates
▪ Countermeasures: Protocols and Accounts
▪ Countermeasures: Files and Directories
▪ Detecting Web Server Hacking Attempts
▪ How to Defend Against Web Server Attacks
▪ How to Defend against HTTP Response-Splitting and Web Cache Poisoning
▪ How to Defend against DNS Hijacking
▪ Web Server Security Tools
o Web Application Security Scanners
o Web Server Security Scanners
o Web Server Malware Infection Monitoring Tools

Course Outline
o Web Server Security Tools

o Web Server Pen Testing Tools
Patch Management
▪ Patches and Hotfixes
▪ What is Patch Management?
▪ Installation of a Patch
▪ Patch Management Tools
Module 14: Hacking Web Applications

Web Application Concepts
▪ Introduction to Web Applications
▪ Web Application Architecture
▪ Web Services
▪ Vulnerability Stack
Web Application Threats
▪ OWASP Top 10 Application Security Risks - 2021
o A01 - Broken Access Control
o A02 - Cryptographic Failures/Sensitive Data Exposure
o A03 - Injection Flaws
• SQL Injection Attacks
• Command Injection Attacks
✓ Command Injection Example
• File Injection Attack
• LDAP Injection Attacks
• Other Injection Attacks
✓ JNDI Injection
• Cross-Site Scripting (XSS) Attacks
✓ Cross-Site Scripting Attack Scenario: Attack via Email
✓ XSS Attack in Blog Posting
✓ XSS Attack in Comment Field
o A04 - Insecure Design

Course Outline
o A05 - Security Misconfiguration

• XML External Entity (XXE)
o A06 - Vulnerable and Outdated Components/Using Components with Known
Vulnerabilities
o A07 - Identification and Authentication Failures/Broken Authentication
o A08 - Software and Data Integrity Failures
• Insecure Deserialization
o A09 - Security Logging and Monitoring Failures/Insufficient Logging and Monitoring
o A10 - Server-Side Request Forgery (SSRF)
• Types of Server-Side Request Forgery (SSRF) Attack
✓ Injecting SSRF payload
✓ Cross-Site Port Attack (XSPA)
▪ Other Web Application Threats
o Directory Traversal
o Unvalidated Redirects and Forwards
• Open Redirection
• Header-Based Open Redirection
• JavaScript-Based Open Redirection
o Watering Hole Attack
o Cross-Site Request Forgery (CSRF) Attack
o Cookie/Session Poisoning
o Web Service Attack
o Web Service Footprinting Attack
o Web Service XML Poisoning
o Hidden Field Manipulation Attack
o Web-based Timing Attacks
o MarioNet Attack
o Clickjacking Attack
o DNS Rebinding Attack
o Same-Site Attack
o Pass-the-cookie Attack

Course Outline
Web Application Hacking Methodology

▪ Web Application Hacking Methodology
▪ Footprint Web Infrastructure
o Server Discovery
o Service Discovery
o Server Identification/Banner Grabbing
o Detecting Web App Firewalls and Proxies on Target Site
o Hidden Content Discovery
o Detect Load Balancers
▪ Analyze Web Applications
o Identify Entry Points for User Input
o Identify Server-Side Technologies
o Identify Server-Side Functionality
o Identify Files and Directories
o Identify Web Application Vulnerabilities
o Map the Attack Surface
▪ Bypass Client-side Controls
o Attack Hidden Form Fields
o Attack Browser Extensions
• Attack Google Chrome Browser Extensions
o Perform Source Code Review
o Evade XSS Filters
▪ Attack Authentication Mechanism
o Design and Implementation Flaws in Authentication Mechanism
o Username Enumeration
o Password Attacks: Password Functionality Exploits
o Password Attacks: Password Guessing and Brute-forcing
o Password Attacks: Attack Password Reset Mechanism
o Session Attacks: Session ID Prediction/Brute-forcing
o Cookie Exploitation: Cookie Poisoning
o Bypass Authentication: Bypass SAML-based SSO

Course Outline
▪ Attack Authorization Schemes

o Authorization Attack: HTTP Request Tampering
o Authorization Attack: Cookie Parameter Tampering
▪ Attack Access Controls
▪ Attack Session Management Mechanism
o Attacking Session Token Generation Mechanism
o Attacking Session Tokens Handling Mechanism: Session Token Sniffing
▪ Perform Injection/Input Validation Attacks
o Perform Local File Inclusion (LFI)
▪ Attack Application Logic Flaws
▪ Attack Shared Environments
▪ Attack Database Connectivity
o Connection String Injection
o Connection String Parameter Pollution (CSPP) Attacks
o Connection Pool DoS
▪ Attack Web Application Client
▪ Attack Web Services
o Web Services Probing Attacks
o Web Service Attacks: SOAP Injection
o Web Service Attacks: SOAPAction Spoofing
o Web Service Attacks: WS-Address Spoofing
o Web Service Attacks: XML Injection
o Web Services Parsing Attacks
o Web Service Attack Tools
▪ Additional Web Application Hacking Tools
Web API, Webhooks, and Web Shell
▪ What is Web API?
o Web Services APIs
▪ What are Webhooks?
▪ OWASP Top 10 API Security Risks
▪ API Vulnerabilities

Course Outline
▪ Web API Hacking Methodology

o Identify the Target
o Detect Security Standards
o Identify the Attack Surface
• Analyze Web API Requests and Responses
o Launch Attacks
• Fuzzing and Invalid Input Attacks
• Malicious Input Attacks
• Injection Attacks
• Exploiting Insecure Configurations
• Login/ Credential Stuffing Attacks
• API DDoS Attacks
• Authorization Attacks on API: OAuth Attacks
✓ SSRF using Dynamic Client Registration endpoint
✓ WebFinger User Enumeration
✓ Exploit Flawed Scope Validation
• Other Techniques to Hack an API
o REST API Vulnerability Scanning
o Bypassing IDOR via Parameter Pollution
▪ Web Shells
o Web Shell Tools
▪ How to Prevent Installation of a Web Shell
▪ Web Shell Detection Tools
▪ Secure API Architecture
o Implementing Layered Security in an API
▪ API Security Risks and Solutions
▪ Best Practices for API Security
▪ Best Practices for Securing Webhooks
Web Application Security
▪ Web Application Security Testing
▪ Web Application Fuzz Testing

Course Outline
▪ Source Code Review

▪ Encoding Schemes
▪ Whitelisting vs. Blacklisting Applications
o Application Whitelisting and Blacklisting Tools
▪ How to Defend Against Injection Attacks
▪ Web Application Attack Countermeasures
▪ How to Defend Against Web Application Attacks
▪ RASP for Protecting Web Servers
▪ Bug Bounty Programs
▪ Web Application Security Testing Tools
▪ Web Application Firewalls
Module 15: SQL Injection

SQL Injection Concepts
▪ What is SQL Injection?
▪ SQL Injection and Server-side Technologies
▪ Understanding HTTP POST Request
▪ Understanding Normal SQL Query
▪ Understanding an SQL Injection Query
▪ Understanding an SQL Injection Query – Code Analysis
▪ Example of a Web Application Vulnerable to SQL Injection: BadProductList.aspx
▪ Example of a Web Application Vulnerable to SQL Injection: Attack Analysis
▪ Examples of SQL Injection
Types of SQL Injection
▪ Types of SQL injection
o In-Band SQL Injection
• Error Based SQL Injection
• Union SQL Injection
o Blind/Inferential SQL Injection
• Blind SQL Injection: No Error Message Returned
• Blind SQL Injection: WAITFOR DELAY (YES or NO Response)

Course Outline
• Blind SQL Injection: Boolean Exploitation and Heavy Query

o Out-of-Band SQL injection
SQL Injection Methodology
▪ Information Gathering and SQL Injection Vulnerability Detection
o Information Gathering
o Identifying Data Entry Paths
o Extracting Information through Error Messages
o SQL Injection Vulnerability Detection: Testing for SQL Injection
o Additional Methods to Detect SQL Injection
o SQL Injection Black Box Pen Testing
o Source Code Review to Detect SQL Injection Vulnerabilities
o Testing for Blind SQL Injection Vulnerability in MySQL and MSSQL
▪ Launch SQL Injection Attacks
o Perform Union SQL Injection
o Perform Error Based SQL Injection
o Perform Error Based SQL Injection using Stored Procedure Injection
o Bypass Website Logins Using SQL Injection
o Perform Blind SQL Injection – Exploitation (MySQL)
o Blind SQL Injection - Extract Database User
o Blind SQL Injection - Extract Database Name
o Blind SQL Injection - Extract Column Name
o Blind SQL Injection - Extract Data from ROWS
o Perform Double Blind SQL Injection – Classical Exploitation (MySQL)
o Perform Blind SQL Injection Using Out-of-Band Exploitation Technique
o Exploiting Second-Order SQL Injection
o Bypass Firewall using SQL Injection
o Perform SQL Injection to Insert a New User and Update Password
o Exporting a Value with Regular Expression Attack
▪ Advanced SQL Injection
o Database, Table, and Column Enumeration
o Advanced Enumeration

Course Outline
o Features of Different DBMSs

o Creating Database Accounts
o Password Grabbing
o Grabbing SQL Server Hashes
o Transfer Database to Attacker's Machine
o Interacting with the Operating System
o Interacting with the File System
o Network Reconnaissance Using SQL Injection
o Network Reconnaissance Full Query
o Finding and Bypassing Admin Panel of a Website
o PL/SQL Exploitation
o Creating Server Backdoors using SQL Injection
o HTTP Header-Based SQL Injection
o DNS Exfiltration using SQL Injection
o MongoDB Injection/NoSQL Injection Attack
o Case Study: SQL Injection Attack and Defense
SQL Injection Tools
▪ SQL Injection Tools
▪ SQL Injection Tools for Mobile Devices
Evasion Techniques
▪ Evading IDS
▪ Types of Signature Evasion Techniques
o Evasion Technique: In-line Comment and Char Encoding
o Evasion Technique: String Concatenation and Obfuscated Code
o Evasion Technique: Manipulating White Spaces and Hex Encoding
o Evasion Technique: Sophisticated Matches and URL Encoding
o Evasion Technique: Null Byte and Case Variation
o Evasion Technique: Declare Variables and IP Fragmentation
o Evasion Technique: Variation
SQL Injection Countermeasures
▪ How to Defend Against SQL Injection Attacks

Course Outline
o Use Type-Safe SQL Parameters

o Defenses in the Application
• LIKE Clauses
• Wrapping Parameters with QUOTENAME() and REPLACE()
▪ Detecting SQL Injection Attacks
▪ SQL Injection Detection Tools
o OWASP ZAP and Damn Small SQLi Scanner (DSSS)
o Snort
o SQL Injection Detection Tools
Module 16: Hacking Wireless Networks

Wireless Concepts
▪ Wireless Terminology
▪ Wireless Networks
▪ Wireless Standards
▪ Service Set Identifier (SSID)
▪ Wi-Fi Authentication Modes
▪ Wi-Fi Authentication Process Using a Centralized Authentication Server
▪ Types of Wireless Antennas
Wireless Encryption
▪ Types of Wireless Encryption
o Wired Equivalent Privacy (WEP) Encryption
o Wi-Fi Protected Access (WPA) Encryption
o WPA2 Encryption
o WPA3 Encryption
▪ Comparison of WEP, WPA, WPA2, and WPA3
▪ Issues in WEP, WPA, and WPA2
Wireless Threats
▪ Wireless Threats
o Rogue AP Attack
o Client Mis-association

Course Outline
o Misconfigured AP Attack
o Unauthorized Association
o Ad-Hoc Connection Attack
o Honeypot AP Attack
o AP MAC Spoofing
o Denial-of-Service Attack
o Key Reinstallation Attack (KRACK)
o Jamming Signal Attack
• Wi-Fi Jamming Devices
o aLTEr Attack
o Wormhole and Sinkhole Attacks
o Inter-Chip Privilege Escalation/Wireless Co-Existence Attack
o GNSS Spoofing
Wireless Hacking Methodology
▪ Wireless Hacking Methodology
▪ Wi-Fi Discovery
o Wireless Network Footprinting
o Finding Wi-Fi Networks in Range to Attack
o Finding WPS-Enabled APs
o Wi-Fi Discovery Tools
o Mobile-based Wi-Fi Discovery Tools
▪ GPS Mapping
o GPS Mapping Tools
o Wi-Fi Hotspot Finder Tools
o Wi-Fi Network Discovery Through WarDriving
▪ Wireless Traffic Analysis
o Choosing the Optimal Wi-Fi Card
o Sniffing Wireless Traffic
o Perform Spectrum Analysis
▪ Launch of Wireless Attacks
o Aircrack-ng Suite

Course Outline
o Detection of Hidden SSIDs

o Fragmentation Attack
o MAC Spoofing Attack
o Denial-of-Service: Disassociation and De-authentication Attacks
o Man-in-the-Middle Attack
o MITM Attack Using Aircrack-ng
o Wireless ARP Poisoning Attack
• ARP Poisoning Attack Using Ettercap
o Rogue APs
• Creation of a Rogue AP Using MANA Toolkit
o Evil Twin
• Set Up of a Fake Hotspot (Evil Twin)
o aLTEr Attack
o Wi-Jacking Attack
o RFID Cloning Attack
▪ Wi-Fi Encryption Cracking
o WEP Encryption Cracking
o Cracking WEP Using Aircrack-ng
o WPA/WPA2 Encryption Cracking
o Cracking WPA-PSK Using Aircrack-ng
o Cracking WPA/WPA2 Using Wifiphisher
o Cracking WPS Using Reaver
o WPA3 Encryption Cracking
o WEP Cracking and WPA Brute Forcing Using Wesside-ng and Fern Wifi Cracker
Wireless Hacking Tools
▪ WEP/WPA/WPA2 Cracking Tools
▪ WEP/WPA/WPA2 Cracking Tools for Mobile
▪ Wi-Fi Packet Sniffers
▪ Wi-Fi Traffic Analyzer Tools
▪ Other Wireless Hacking Tools

Course Outline
Bluetooth Hacking
▪ Bluetooth Stack
▪ Bluetooth Hacking
▪ Bluetooth Threats
▪ Bluejacking
▪ Bluetooth Reconnaissance Using Bluez
▪ Btlejacking Using BtleJack
▪ Cracking BLE Encryption Using crackle
▪ Bluetooth Hacking Tools
Wireless Attack Countermeasures
▪ Wireless Security Layers
▪ Defense Against WPA/WPA2/WPA3 Cracking
▪ Defense Against KRACK and aLTEr Attacks
▪ Detection and Blocking of Rogue APs
▪ Defense Against Wireless Attacks
▪ Defense Against Bluetooth Hacking
Wireless Security Tools
▪ Wireless Intrusion Prevention Systems
▪ WIPS Deployment
▪ Wi-Fi Security Auditing Tools
▪ Wi-Fi IPSs
▪ Wi-Fi Predictive Planning Tools
▪ Wi-Fi Vulnerability Scanning Tools
▪ Bluetooth Security Tools
▪ Wi-Fi Security Tools for Mobile
Module 17: Hacking Mobile Platforms

Mobile Platform Attack Vectors
▪ Vulnerable Areas in Mobile Business Environment
▪ OWASP Top 10 Mobile Risks – 2016
▪ Anatomy of a Mobile Attack

Course Outline
▪ How a Hacker can Profit from Mobile Devices that are Successfully Compromised
▪ Mobile Attack Vectors and Mobile Platform Vulnerabilities
▪ Security Issues Arising from App Stores
▪ App Sandboxing Issues
▪ Mobile Spam
▪ SMS Phishing Attack (SMiShing) (Targeted Attack Scan)
o SMS Phishing Attack Examples
▪ Pairing Mobile Devices on Open Bluetooth and Wi-Fi Connections
▪ Agent Smith Attack
▪ Exploiting SS7 Vulnerability
▪ Simjacker: SIM Card Attack
▪ OTP Hijacking/Two-Factor Authentication Hijacking
▪ Camera/Microphone Capture Attacks
o Camfecting Attack
o Android Camera Hijack Attack
Hacking Android OS
▪ Android OS
o Android Device Administration API
▪ Android Rooting
o Rooting Android Using KingoRoot
o Android Rooting Tools
▪ Hacking Android Devices
o Blocking Wi-Fi Access Using NetCut
o Identifying Attack Surfaces Using drozer
o Hacking with zANTI and Network Spoofer
o Launch DoS Attack using Low Orbit Ion Cannon (LOIC)
o Session Hijacking Using DroidSheep
o Hacking with Orbot Proxy
o Exploiting Android Device through ADB Using PhoneSploit
o Android-based Sniffers
o Launching Man-in-the-Disk Attack

Course Outline
o Launching Sphearphone Attack

o Exploiting Android Devices Using Metasploit
o Other Techniques for Hacking Android Devices
o Android Trojans
▪ OTP Hijacking Tools
▪ Camera/Microphone Hijacking Tools
▪ Android Hacking Tools
▪ Securing Android Devices
▪ Android Security Tools
o Android Device Tracking Tools: Google Find My Device
o Android Device Tracking Tools
o Android Vulnerability Scanners
o Online Android Analyzers
Hacking iOS
▪ Apple iOS
▪ Jailbreaking iOS
o Jailbreaking Techniques
o Jailbreaking iOS Using Hexxa Plus
o Jailbreaking Tools
▪ Hacking iOS Devices
o Hacking using Spyzie
o Hacking Network using Network Analyzer Pro
o iOS Trustjacking
o Analyzing and Manipulating iOS Applications
• Manipulating an iOS Application Using cycript
• iOS Method Swizzling
• Extracting Secrets Using Keychain Dumper
• Analyzing an iOS Application Using objection
o iOS Malware
o iOS Hacking Tools
▪ Securing iOS Devices

Course Outline
▪ iOS Device Security Tools

▪ iOS Device Tracking Tools
Mobile Device Management
▪ Mobile Device Management (MDM)
▪ Mobile Device Management Solutions: IBM MaaS360
o Mobile Device Management Solutions
▪ Bring Your Own Device (BYOD)
o BYOD Risks
o BYOD Policy Implementation
o BYOD Security Guidelines
Mobile Security Guidelines and Tools
▪ OWASP Top 10 Mobile Controls
▪ General Guidelines for Mobile Platform Security
▪ Mobile Device Security Guidelines for Administrator
▪ SMS Phishing Countermeasures
▪ Critical Data Storage in Android and iOS: KeyStore and Keychain Recommendations
▪ Mobile Security Tools
o Source Code Analysis Tools
o Reverse Engineering Tools
o App Repackaging Detector
o Mobile Protection Tools
o Mobile Anti-Spyware
o Mobile Pen Testing Toolkit: ImmuniWeb® MobileSuite
Module 18: IoT and OT Hacking

IoT Hacking
IoT Concepts
▪ What is the IoT?
▪ How the IoT Works
▪ IoT Architecture
▪ IoT Application Areas and Devices

Course Outline
▪ IoT Technologies and Protocols

▪ IoT Communication Models
▪ Challenges of IoT
▪ Threat vs Opportunity
IoT Attacks
▪ IoT Security Problems
▪ OWASP Top 10 IoT Threats
▪ OWASP IoT Attack Surface Areas
▪ IoT Vulnerabilities
▪ IoT Threats
▪ Hacking IoT Devices: General Scenario
▪ IoT Attacks
o DDoS Attack
o Exploit HVAC
o Rolling Code Attack
o BlueBorne Attack
o Jamming Attack
o Hacking Smart Grid/Industrial Devices: Remote Access using Backdoor
o SDR-Based Attacks on IoT
o Identifying and Accessing Local IoT Devices
o Fault Injection Attacks
o Other IoT Attacks
▪ IoT Attacks in Different Sectors
▪ Case Study: Enemybot
IoT Hacking Methodology
▪ What is IoT Device Hacking?
▪ IoT Hacking Methodology
o Information Gathering Using Shodan
o Information Gathering using MultiPing
o Information Gathering using FCC ID Search
o Discovering IoT Devices with Default Credentials using IoTSeeker

Course Outline
o Vulnerability Scanning using Nmap

o Vulnerability Scanning using RIoT Vulnerability Scanner
o Sniffing using Foren6
o Sniffing using Wireshark
o Analyzing Spectrum and IoT Traffic
o Rolling code Attack using RFCrack
o Hacking Zigbee Devices with Attify Zigbee Framework
o BlueBorne Attack Using HackRF One
o Replay Attack using HackRF One
o SDR-Based Attacks using RTL-SDR and GNU Radio
o Side Channel Attack using ChipWhisperer
o Identifying IoT Communication Buses and Interfaces
o NAND Glitching
o Gaining Remote Access using Telnet
o Maintain Access by Exploiting Firmware
• Firmware Analysis and Reverse Engineering
✓ Emulate Firmware for Dynamic Testing
▪ IoT Hacking Tools
o Information-Gathering Tools
o Sniffing Tools
o Vulnerability-Scanning Tools
o Tools to Perform SDR-Based Attacks
o IoT Hacking Tools
IoT Attack Countermeasures
▪ How to Defend Against IoT Hacking
▪ General Guidelines for IoT Device Manufacturing Companies
▪ OWASP Top 10 IoT Vulnerabilities Solutions
▪ IoT Framework Security Considerations
▪ IoT Hardware Security Best Practices
▪ IoT Device Management
▪ IoT Security Tools

Course Outline
OT Hacking
OT Concepts
▪ What is OT?
▪ Essential Terminology
▪ IT/OT Convergence (IIOT)
▪ The Purdue Model
▪ Challenges of OT
▪ Introduction to ICS
▪ Components of an ICS
o Distributed Control System (DCS)
o Supervisory Control and Data Acquisition (SCADA)
o Programmable Logic Controller (PLC)
o Basic Process Control System (BPCS)
o Safety Instrumented Systems (SIS)
▪ OT Technologies and Protocols
OT Attacks
▪ OT Vulnerabilities
▪ MITRE ATT&CK for ICS
▪ OT Threats
▪ OT Attacks
o HMI-based Attacks
o Side-Channel Attacks
o Hacking Programmable Logic Controller (PLC)
o Hacking Industrial Systems through RF Remote Controllers
o OT Malware
▪ OT Malware Analysis: INDUSTROYER.V2
OT Hacking Methodology
▪ What is OT Hacking?
▪ OT Hacking Methodology
o Identifying ICS/SCADA Systems using Shodan
o Gathering Default Passwords using CRITIFENCE

Course Outline
o Scanning ICS/SCADA Systems using Nmap

o Vulnerability Scanning using Nessus
o Vulnerability Scanning using Skybox Vulnerability Control
o Fuzzing ICS Protocols
o Sniffing using NetworkMiner
o Analyzing Modbus/TCP Traffic Using Wireshark
o Discovering ICS/SCADA Network Topology using GRASSMARLIN
o Hacking ICS Hardware
o Hacking Modbus Slaves using Metasploit
o Hacking PLC using modbus-cli
o Gaining Remote Access using DNP3
▪ OT Hacking Tools
o Information-Gathering Tools
o Sniffing and Vulnerability-Scanning Tools
o OT Hacking Tools
OT Attack Countermeasures
▪ How to Defend Against OT Hacking
▪ OT Vulnerabilities and Solutions
▪ How to Secure an IT/OT Environment
▪ Implementing a Zero-Trust Model for ICS/SCADA
▪ International OT Security Organizations and Frameworks
o OTCSA
o OT-ISAC
o NERC
o Industrial Internet Security Framework (IISF)
o ISA/IEC-62443
▪ OT Security Solutions
▪ OT Security Tools

Course Outline
Module 19: Cloud Computing

Cloud Computing Concepts
▪ Introduction to Cloud Computing
▪ Types of Cloud Computing Services
o Infrastructure-as-a-Service (IaaS)
o Platform-as-a-Service (PaaS)
o Software-as-a-Service (SaaS)
o Identity-as-a-Service (IDaaS)
o Security-as-a-Service (SECaaS)
o Container-as-a-Service (CaaS)
o Function-as-a-Service (FaaS)
o Anything-as-a-Service (XaaS)
o Firewalls-as-a-Service (FWaaS)
o Desktop-as-a-Service (DaaS)
o Mobile Backend-as-a-Service (MBaaS)
o Machines-as-a-Service (MaaS) Business Model
▪ Separation of Responsibilities in Cloud
▪ Cloud Deployment Models
o Public Cloud
o Private Cloud
o Community Cloud
o Hybrid Cloud
o Multi Cloud
o Distributed Cloud
o Poly Cloud
▪ NIST Cloud Deployment Reference Architecture
▪ Cloud Storage Architecture
▪ Role of AI in Cloud Computing
▪ Virtual Reality and Augmented Reality on Cloud
▪ Fog Computing
▪ Edge Computing

Course Outline
▪ Cloud vs. Fog Computing vs. Edge Computing

▪ Cloud Computing vs. Grid Computing
▪ Cloud Service Providers
Container Technology
▪ What is a Container?
▪ Containers Vs. Virtual Machines
▪ What is Docker?
o Microservices Vs. Docker
o Docker Networking
▪ Container Orchestration
▪ What is Kubernetes?
o Kubernetes Vs. Docker
▪ Clusters and Containers
▪ Container Security Challenges
▪ Container Management Platforms
▪ Kubernetes Platforms
Serverless Computing
▪ What is Serverless Computing?
▪ Serverless Vs. Containers
▪ Serverless Computing Frameworks
Cloud Computing Threats
▪ OWASP Top 10 Cloud Security Risks
▪ OWASP Top 10 Serverless Security Risks
▪ Cloud Computing Threats
▪ Container Vulnerabilities
▪ Kubernetes Vulnerabilities
▪ Cloud Attacks
o Service Hijacking using Social Engineering
o Service Hijacking using Network Sniffing
o Side-Channel Attacks or Cross-guest VM Breaches
o Wrapping Attack

Course Outline
o Man-in-the-Cloud (MITC) Attack

o Cloud Hopper Attack
o Cloud Cryptojacking
o Cloudborne Attack
o Instance Metadata Service (IMDS) Attack
o Cache Poisoned Denial of Service (CPDoS)/Content Delivery Network (CDN) Cache
Poisoning Attack
o Cloud Snooper Attack
o Golden SAML Attack
o Other Cloud Attacks
▪ Cloud Malware
Cloud Hacking
▪ What is Cloud Hacking?
▪ Hacking Cloud
o Container Vulnerability Scanning using Trivy
o Kubernetes Vulnerability Scanning using Sysdig
o Enumerating S3 Buckets
o Identifying Open S3 Buckets using S3Scanner
o Enumerating AWS Account IDs
o Enumerating IAM Roles
o Enumerating Bucket Permissions using S3Inspector
o Enumerating Kubernetes etcd
o Enumerating Azure Active Directory (AD) Accounts
o Gathering Cloud Keys Through IMDS Attack
o Exploiting Amazon Cloud Infrastructure using Nimbostratus
o Exploiting Misconfigured AWS S3 Buckets
o Compromising AWS IAM Credentials
o Hijacking Misconfigured IAM Roles using Pacu
o Cracking AWS Access Keys using DumpsterDiver
o Exploiting Docker Containers on AWS using Cloud Container Attack Tool (CCAT)
o Serverless-Based Attacks on AWS Lambda
o Exploiting Shadow Admins in AWS

Course Outline
o Exploiting Docker Remote API

o Hacking Container Volumes
o CloudGoat 2 – Vulnerable by Design AWS Deployment Tool
o Gaining Access by Exploiting SSRF Vulnerability
o AWS IAM Privilege Escalation Techniques
o Escalating Privileges of Google Storage Buckets using GCPBucketBrute
o Privilege Escalation Using Misconfigured User Accounts in Azure AD
o Creating Backdoor Accounts in AWS
o Backdooring Docker Images using dockerscan
o Maintaining Access and Covering Tracks on AWS Cloud Environment by
Manipulating CloudTrial Service
▪ AWS Hacking Tool: AWS pwn
Cloud Security
▪ Cloud Security Control Layers
▪ Cloud Security is the Responsibility of both Cloud Provider and Consumer
▪ Cloud Computing Security Considerations
▪ Placement of Security Controls in the Cloud
▪ Best Practices for Securing Cloud
▪ NIST Recommendations for Cloud Security
▪ Security Assertion Markup Language (SAML)
▪ Cloud Network Security
o Virtual Private Cloud (VPC)
o Public and Private Subnets
o Transit Gateways
o VPC Endpoint
▪ Cloud Security Controls
o Cloud Application Security
o High Availability Across Zones
o Cloud Integration and Auditing
o Security Groups
o Instance Awareness
▪ Kubernetes Vulnerabilities and Solutions
Course Outline
▪ Serverless Security Risks and Solutions

▪ Best Practices for Container Security
▪ Best Practices for Docker Security
▪ Best Practices for Kubernetes Security
▪ Best Practices for Serverless Security
▪ Zero Trust Networks
▪ Organization/Provider Cloud Security Compliance Checklist
▪ International Cloud Security Organizations
▪ Shadow Cloud Asset Discovery Tools
▪ Cloud Security Tools
▪ Container Security Tools
▪ Kubernetes Security Tools
▪ Serverless Application Security Solutions
▪ Cloud Access Security Broker (CASB)
o CASB Solutions
• Forcepoint CASB
▪ Next-Generation Secure Web Gateway (NG SWG)
o NG SWG Solutions
Module 20: Cryptography

Cryptography Concepts
▪ Cryptography
▪ Government Access to Keys (GAK)
Encryption Algorithms
▪ Ciphers
▪ Data Encryption Standard (DES) and Advanced Encryption Standard (AES)
▪ RC4, RC5, and RC6 Algorithms
▪ Twofish and Threefish
▪ Serpent and TEA
▪ CAST-128
▪ GOST Block Cipher and Camellia

Course Outline
▪ DSA and Related Signature Schemes

▪ Rivest Shamir Adleman (RSA)
▪ Diffie-Hellman
▪ YAK
▪ Message Digest (One-Way Hash) Functions
o Message Digest Function: MD5 and MD6
o Message Digest Function: Secure Hashing Algorithm (SHA)
o RIPEMD – 160 and HMAC
▪ Other Encryption Techniques
o Post-quantum Cryptography
o Lightweight Cryptography
▪ Comparison of Cryptographic Algorithms
▪ Cipher Modes of Operation
o Electronic Code Book (ECB) Mode
o Cipher Block Chaining (CBC) Mode
o Cipher Feedback (CFB) Mode
o Counter Mode
▪ Modes of Authenticated Encryption
o Authenticated Encryption with Message Authentication Code (MAC)
o Authenticated Encryption with Associated Data (AEAD)
▪ Applications of Cryptography - Blockchain
o Types of Blockchain
Cryptography Tools
▪ MD5 and MD6 Hash Calculators
▪ Hash Calculators for Mobile
▪ Cryptography Tools
▪ Cryptography Tools for Mobile
Public Key Infrastructure (PKI)
▪ Public Key Infrastructure (PKI)
o Certification Authorities
o Signed Certificate (CA) Vs. Self Signed Certificate

Course Outline
Email Encryption
▪ Digital Signature
▪ Secure Sockets Layer (SSL)
▪ Transport Layer Security (TLS)
▪ Cryptography Toolkits
▪ Pretty Good Privacy (PGP)
▪ GNU Privacy Guard (CPG)
▪ Web of Trust (WOT)
▪ Encrypting Email Messages in Outlook
o S/MIME Encryption
o Microsoft 365 Message Encryption
▪ Signing/Encrypting Email Messages on Mac
▪ Encrypting/Decrypting Email Messages Using OpenPGP
▪ Email Encryption Tools
Disk Encryption
▪ Disk Encryption
▪ Disk Encryption Tools: VeraCrypt and Symantec Drive Encryption
▪ Disk Encryption Tools
▪ Disk Encryption Tools for Linux
▪ Disk Encryption Tools for macOS
Cryptanalysis
▪ Cryptanalysis Methods
o Quantum Cryptanalysis
▪ Code Breaking Methodologies
▪ Cryptography Attacks
o Brute-Force Attack
o Birthday Attack
• Birthday Paradox: Probability
o Meet-in-the-Middle Attack on Digital Signature Schemes
o Side-Channel Attack
o Hash Collision Attack

Course Outline
o DUHK Attack
o Rainbow Table Attack
o Related-Key Attack
o Padding Oracle Attack
o DROWN Attack
▪ Cryptanalysis Tools
▪ Online MD5 Decryption Tools
Cryptography Attack Countermeasures
▪ How to Defend Against Cryptographic Attacks
▪ Key Stretching
Appendix A: Ethical Hacking Essential Concepts - I

Operating System Concepts
▪ Windows Operating System
o Windows Architecture
o Windows Commands
▪ Unix Operating System
o UNIX Directory Structure
o UNIX Commands
▪ Linux Operating System
o Linux Features
▪ macOS Operating System
o macOS Layered Architecture
File Systems
▪ Understanding File Systems
o Types of File Systems
o Windows File Systems
• File Allocation Table (FAT)
• FAT32
• New Technology File System (NTFS)
• NTFS Architecture

Course Outline
• NTFS System Files

• Encrypting File Systems (EFS)
• Components of EFS
• Sparse Files
o Linux File Systems
• Linux File System Architecture
• Filesystem Hierarchy Standard (FHS)
• Extended File System (EXT)
• Second Extended File System (EXT2)
• Third Extended File System (EXT3)
• Fourth Extended File System (EXT4)
o macOS File Systems
Computer Network Fundamentals
▪ Computer Networks
o Open System Interconnection (OSI) Model

o TCP/IP Model
o Comparing OSI and TCP/IP
o Types of Networks
o Wireless Standards
o Wireless Technologies
o Network Topologies
o Network Hardware Components
o Types of LAN Technology
• Ethernet, Fast Ethernet, Gigabit Ethernet, 10 Gigabit Ethernet, Asynchronous
Transfer Mode (ATM), Power over Ethernet (PoE)
• Specifications of LAN Technology
▪ Common Fiber Technologies
o Types of Cables
• Fiber Optic Cable, Coaxial Cable, CAT 3, CAT 4, CAT 5, CAT 5e, CAT 6,
10/100/1000BaseT (UTP Ethernet)
▪ TCP/IP Protocol Suite

Course Outline
o Application Layer Protocols

• Dynamic Host Configuration Protocol (DHCP)
• Domain Name System (DNS)
✓ DNS Packet Format
✓ DNS Hierarchy
• DNSSEC
✓ How DNSSEC Works
✓ Managing DNSSEC for Domain Name
✓ What is a DS Record?
✓ How does DNSSEC Protect Internet Users?
✓ Operation of DNSSEC
• Hypertext Transfer Protocol (HTTP)
• Secure HTTP
• Hyper Text Transfer Protocol Secure (HTTPS)
• File Transfer Protocol (FTP)
✓ How FTP Works?
• Secure File Transfer Protocol (SFTP)
• Trivial File Transfer Protocol (TFTP)
• Simple Mail Transfer Protocol (SMTP)
• S/MIME
✓ How it Works?
• Pretty Good Privacy (PGP)
• Difference between PGP and S/MIME
• Telnet
• SSH
• SOAP (Simple Object Access Protocol)
• Simple Network Management Protocol (SNMP)
• NTP (Network Time Protocol)
• RPC (Remote Procedure Call)
• Server Message Block (SMB) Protocol
• Session Initiation Protocol (SIP)
Course Outline
• RADIUS
• TACACS+
• Routing Information Protocol (RIP)
o Transport Layer Protocols
• Transmission Control Protocol (TCP)
✓ TCP Header Format
✓ TCP Services
• User Datagram Protocol (UDP)
✓ UDP Operation
• Secure Socket Layer (SSL)
• Transport Layer Security (TLS)
o Internet Layer Protocols
• Internet Protocol (IP)
✓ IP Header: Protocol Field
• What is Internet Protocol v6 (IPv6)?
✓ IPv6 Header
✓ IPv4 and IPv6 Transition Mechanisms
✓ IPv4 vs. IPv6
✓ Internet Protocol Security (IPsec)
• Internet Control Message Protocol (ICMP)
✓ Error Reporting and Correction
✓ ICMP Message Delivery
✓ Format of an ICMP Message
• Address Resolution Protocol (ARP)
✓ ARP Packet Format
✓ ARP Packet Encapsulation
• IGRP (Interior Gateway Routing Protocol)
• EIGRP (Enhanced Interior Gateway Routing Protocol)
• OSPF (Open Shortest Path First)
• HSRP (Hot Standby Router Protocol)
• Virtual Router Redundancy Protocol (VRRP)
Course Outline
• BGP (Border Gateway Protocol)

o Link Layer Protocols
• Fiber Distributed Data Interface (FDDI)
• Token Ring
• CDP (Cisco Discovery Protocol)
• VLAN Trunking Protocol (VTP)
• STP (Spanning Tree Protocol)
• Point-to-point Protocol (PPP)
▪ IP Addressing and Port Numbers
o Internet Assigned Numbers Authority (IANA)

o IP Addressing
o Classful IP Addressing
o Address Classes
o Subnet Masking
o Subnetting
o Supernetting
o IPv6 Addressing
o Difference between IPv4 and IPv6
o Port Numbers
▪ Network Terminology
o Routing
o Network Address Translation (NAT)
o Port Address Translation (PAT)
o VLAN
o Shared Media Network
o Switched Media Network
Basic Network Troubleshooting
▪ Unreachable Networks
▪ Destination Unreachable Message
▪ ICMP Echo (Request) and Echo Reply
▪ Time Exceeded Message

Course Outline
▪ IP Parameter Problem
▪ ICMP Control Messages
▪ ICMP Redirects
▪ Troubleshooting
o Steps for Network Troubleshooting

• Troubleshooting IP Problems
• Troubleshooting Local Connectivity Issues
• Troubleshooting Physical Connectivity Issues
• Troubleshooting Routing Problems
• Troubleshooting Upper-layer Faults
• Troubleshooting Wireless Network Connection Issues
o Network Troubleshooting Tools
• Ping
• Traceroute and Tracert
• Ipconfig and Ifconfig
• NSlookup
• Netstat
• PuTTY and Tera Term
• Subnet and IP Calculators
• Speedtest.net
• Pathping and mtr
• Route
Virtualization
▪ Introduction to Virtualization
▪ Characteristics of Virtualization
▪ Benefits of Virtualization
▪ Common Virtualization Vendors
▪ Virtualization Security and Concerns
▪ Virtual Firewall
▪ Virtual Operating Systems
▪ Virtual Databases

Course Outline
Network File System (NFS)

▪ Network File System (NFS)
▪ NFS Host and File Level Security
Web Markup and Programming Languages

▪ HTML
▪ Extensible Markup Language (XML)
▪ Java
▪ .Net
▪ C#
▪ Java Server Pages (JSP)
▪ Active Server Pages (ASP)
▪ PHP: Hypertext Preprocessor (PHP)
▪ Practical Extraction and Report language (Perl)
▪ JavaScript
▪ Bash Scripting
▪ PowerShell
▪ C and C++
▪ CGI
Application Development Frameworks and Their Vulnerabilities

▪ .NET Framework
▪ J2EE Framework
▪ ColdFusion
▪ Ruby On Rails
▪ AJAX
Web Subcomponents
▪ Web Subcomponents
▪ Thick and Thin Clients
▪ Applet
▪ Servlet
▪ ActiveX
▪ Flash Application

Course Outline
Database Connectivity
▪ Web Application Connection with Underlying Databases
o SQL Sever
• Data Controls used for SQL Server Connection
o MS ACCESS
o MySQL
o ORACLE
Appendix B: Ethical Hacking Essential Concepts - II

Information Security Controls
▪ Information Security Management Program
▪ Enterprise Information Security Architecture (EISA)
▪ Administrative Security Controls
o Regulatory Frameworks Compliance
o Information Security Policies
• Types of Security Policies
• Examples of Security Policies
• Privacy Policies at Workplace
• Steps to Create and Implement Security Policies
• HR or Legal Implications of Security Policy Enforcement
o Security Awareness and Training
• Security Policy
• Physical Security
• Social Engineering
• Data Classification
o Separation of Duties (SoD) and Principle of Least Privileges (POLP)
▪ Physical Security Controls
o Physical Security
o Types of Physical Security Controls
o Physical Security Controls

Course Outline
▪ Technical Security Controls

o Access Control
o Types of Access Control
o Identity and Access Management (IAM)
o User Identification, Authentication, Authorization, and Accounting
o Types of Authentication
• Password Authentication
• Two-factor Authentication
• Biometrics
• Smart Card Authentication
• Single Sign-on (SSO)
o Types of Authorization
o Accounting
Network Segmentation
▪ Network Segmentation
▪ Network Security Zoning
▪ Network Segmentation Example: Demilitarized Zone (DMZ)
▪ Secure Network Administration Principles
o Network Virtualization (NV)
o Virtual Networks
o VLANs
Network Security Solutions
▪ Security Incident and Event Management (SIEM)
o SIEM Architecture
▪ User Behavior Analytics (UBA)
▪ Unified Threat Management (UTM)
▪ Load Balancer
▪ Network Access Control (NAC)
▪ Virtual Private Network (VPN)
o How VPN Works
o VPN Components

Course Outline
o VPN Concentrators
o Functions of a VPN Concentrator
▪ Secure Router Configuration
o Router Security Measures
o Design, Implement, and Enforce Router Security Policy
Data Leakage
▪ Data Leakage
▪ Data Leakage Threats
▪ What is Data Loss Prevention (DLP)?
Data Backup
▪ Data Backup
▪ RAID (Redundant Array Of Independent Disks) Technology
o Advantages and Disadvantages of RAID Systems
o RAID Level 0: Disk Striping
o RAID Level 1: Disk Mirroring
o RAID Level 3: Disk Striping with Parity
o RAID Level 5: Block Interleaved Distributed Parity
o RAID Level 10: Blocks Striped and Mirrored
o RAID Level 50: Mirroring and Striping Across Multiple RAID Levels
▪ Selecting an Appropriate Backup Method
▪ Choosing the Backup Location
▪ Data Recovery
Risk Management Concepts
▪ Risk Management
▪ Risk Management Framework
o Enterprise Risk Management Framework (ERM)
• Goals of the ERM Framework
o NIST Risk Management Framework
o COSO ERM Framework
o COBIT Framework
▪ Enterprise Network Risk Management Policy

Course Outline
▪ Risk Mitigation
▪ Control the Risks
▪ Risk Calculation Formulas
▪ Quantitative Risk vs. Qualitative Risk
Business Continuity and Disaster Recovery
▪ Business Continuity (BC)
▪ Disaster Recovery (DR)
▪ Business Impact Analysis (BIA)
▪ Recovery Time Objective (RTO)
▪ Recovery Point Objective (RPO)
▪ Business Continuity Plan (BCP)
▪ Disaster Recovery Plan (DRP)
Cyber Threat Intelligence
▪ Threat Intelligence Frameworks
o Collective Intelligence Framework (CIF)
▪ Threat Intelligence Data Collection
▪ Threat Intelligence Sources
o Open-Source Intelligence (OSINT)
o Human Intelligence (HUMINT)
o Signals Intelligence (SIGINT)
o Technical Intelligence (TECHINT)
o Geo-spatial Intelligence (GEOINT)
o Imagery Intelligence (IMINT)
o Measurement and Signature Intelligence (MASINT)
o Covert Human Intelligence Sources (CHIS)
o Financial Intelligence (FININT)
o Social Media Intelligence (SOCMINT)
o Cyber Counterintelligence (CCI)
o Indicators of Compromise (IoCs)
o Industry Association and Vertical Communities
o Commercial Sources

Course Outline
o Government and Law Enforcement Sources

▪ Threat Intelligence Collection Management
o Understanding Data Reliability
o Produce Actionable Threat Intelligence
▪ Collecting IoCs
▪ Create an Accessible Threat Knowledge Base
▪ Organize and Store Cyber Threat Information in Knowledge Base
▪ Threat Intelligence Reports
o Generating Concise Reports
▪ Threat Intelligence Dissemination
Threat Modeling
▪ Threat Modeling Methodologies
o STRIDE
o PASTA
o TRIKE
o VAST
o DREAD
o OCTAVE
▪ Threat Profiling and Attribution
Penetration Testing Concepts
▪ Penetration Testing
▪ Why do Penetration Testing?
▪ Comparing Security Audit, Vulnerability Assessment, and Penetration Testing
▪ Blue and Red Teaming
▪ Types of Penetration Testing
▪ Phases of Penetration Testing
▪ Security Testing Methodology
▪ Risks Associated with Penetration Testing
o Types of Risks Arising During Penetration Testing
▪ Pre-engagement Activities
▪ List the Goals of Penetration Testing

Course Outline
▪ Rules of Engagement (ROE)

Security Operations
▪ Security Operations
o Security Operations Center (SOC)
o SOC Operations
• Log Collection
• Log Retention and Archival
• Log Analysis
• Monitoring of Security Environments for Security Events
• Event Correlation
• Incident Management
• Threat Identification
• Threat Reaction
• Reporting
o SOC Workflow
Forensic Investigation
▪ Computer Forensics
▪ Phases Involved in the Computer Forensics Investigation Process
o Pre-investigation Phase
o Investigation Phase
o Post-investigation Phase
Software Development Security
▪ Integrating Security in the Software Development Life Cycle (SDLC)
o Functional vs. Security Activities in the SDLC
o Advantages of Integrating Security in the SDLC
▪ Security Requirements
o Gathering Security Requirements
o Why We Need Different Approaches for Security Requirement Gathering
o Key Benefits of Addressing Security at the Requirement Phase
▪ Secure Application Design and Architecture
o Goals of the Secure Design Process

Course Outline
o Secure Design Principles

• Design Secure Application Architecture
Security Governance Principles
▪ Corporate Governance Activities
▪ Information Security Governance Activities
o Program Management
o Security Engineering
o Security Operations
▪ Corporate Governance & Security Responsibilities
Asset Management and Security
▪ Asset Management
o Asset Ownership
o Asset Classification
o Asset Inventory
o Asset Value
o Protection Strategy and Governance
• Corporate Governance
• Security Governance


CEHv12 Course Outline

Uploaded by

Copyright:

Available Formats

CEHv12 Course Outline

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv12 Course Outline

Uploaded by

Copyright:

Available Formats

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Ethical Hacking and Countermeasures

Module 01: Introduction to Ethical Hacking

Page | 1 Ethical Hacking and Countermeasures Copyright © by EC-Council

Ethical Hacking Concepts

Page | 2 Ethical Hacking and Countermeasures Copyright © by EC-Council

Module 02: Footprinting and Reconnaissance

Page | 3 Ethical Hacking and Countermeasures Copyright © by EC-Council

o Gathering Information from Financial Services

Page | 4 Ethical Hacking and Countermeasures Copyright © by EC-Council

Module 03: Scanning Networks

Page | 5 Ethical Hacking and Countermeasures Copyright © by EC-Council

▪ Scanning Tools: Hping3

Page | 6 Ethical Hacking and Countermeasures Copyright © by EC-Council

o SCTP INIT Scan

Page | 7 Ethical Hacking and Countermeasures Copyright © by EC-Council

▪ Port Scanning Countermeasures

Module 04: Enumeration

Page | 8 Ethical Hacking and Countermeasures Copyright © by EC-Council

NTP and NFS Enumeration

Module 05: Vulnerability Analysis

Page | 9 Ethical Hacking and Countermeasures Copyright © by EC-Council

Page | 10 Ethical Hacking and Countermeasures Copyright © by EC-Council

▪ Best Practices for Selecting Vulnerability Assessment Tools

Module 06: System Hacking

Page | 11 Ethical Hacking and Countermeasures Copyright © by EC-Council

✓ Other Active Online Attacks

Page | 12 Ethical Hacking and Countermeasures Copyright © by EC-Council

Page | 13 Ethical Hacking and Countermeasures Copyright © by EC-Council

o Abusing SUID and SGID Permissions

✓ Dubbed Demodex Rootkit

Module 07: Malware Threats

Page | 16 Ethical Hacking and Countermeasures Copyright © by EC-Council

Page | 17 Ethical Hacking and Countermeasures Copyright © by EC-Council

Page | 18 Ethical Hacking and Countermeasures Copyright © by EC-Council

o Direct Action or Transient Viruses

Page | 19 Ethical Hacking and Countermeasures Copyright © by EC-Council

• Identifying Packing/Obfuscation Method of ELF Malware

Page | 20 Ethical Hacking and Countermeasures Copyright © by EC-Council

Module 08: Sniffing

▪ How an Attacker Hacks the Network Using Sniffers

Page | 22 Ethical Hacking and Countermeasures Copyright © by EC-Council

Sniffing Technique: Spoofing Attacks

Page | 23 Ethical Hacking and Countermeasures Copyright © by EC-Council

Module 09: Social Engineering

Page | 24 Ethical Hacking and Countermeasures Copyright © by EC-Council

Page | 25 Ethical Hacking and Countermeasures Copyright © by EC-Council

▪ Audit Organization's Security for Phishing Attacks using OhPhish

Module 10: Denial-of-Service

▪ Distributed Reflection Denial-of-Service (DRDoS) Attack

Module 11: Session Hijacking

Page | 27 Ethical Hacking and Countermeasures Copyright © by EC-Council

▪ Session Hijacking Process

Page | 28 Ethical Hacking and Countermeasures Copyright © by EC-Council

Session Hijacking Tools

Module 12: Evading IDS, Firewalls, and Honeypots

Page | 29 Ethical Hacking and Countermeasures Copyright © by EC-Council

Page | 30 Ethical Hacking and Countermeasures Copyright © by EC-Council

Page | 31 Ethical Hacking and Countermeasures Copyright © by EC-Council