Transcript Capital Area Cyber Security User Group CLASS 3 Active


Strengths

Weakness

Security Interests

Something Fun
2

Give students offensive knowledge to better defend computer
networks

Hands-on security training to compliment theory, put theories
into practice
◦

“Tell me and I'll forget; show me and I may remember; involve me and
I'll understand.”
Knowledge sharing: the power of group learning
3

Group Exercise: What do you seen in the following pictures?
4

Increase experience with a multitude of security aspects

Network with other security-minded professionals

Play in a safe lab environment not offered at work or home

Earn CPEs to maintain certifications without high costs
◦
For CISSP
 Preparing and presenting 2 hour presentation = 8 CPEs
 Participating 1 hour = 1 CPE
 Updating existing presentation (see ISC2 chart for specifics)
5

Have your questions answered, bring hard issues that require
solutions

Improve public speaking and training skills
6
Course Chapters:















Chapter 1: Introduction to Ethical Hacking, Ethics, and Legality
Chapter 2: Gathering Target Information: Reconnaissance, Footprinting,
and Social Engineering
Chapter 3: Gathering Network and Host Information: Scanning and
Enumeration
Chapter 4: System Hacking: Password Cracking, Escalating Privileges, and
Hiding Files
Chapter 5: Trojans, Backdoors, Viruses, and Worms
Chapter 6: Gathering Data from Networks: Sniffers
Chapter 7: Denial of Service and Session Hijacking
Chapter 8: Web Hacking: Google, Web Servers, Web Application
Vulnerabilities, and Web-Based Password Cracking Techniques
Chapter 9: Attacking Applications: SQL Injection and Buffer Overflows
Chapter 10: Wireless Network Hacking
Wi-Fi and Ethernet
Chapter 11: Physical Site Security
Chapter 12: Hacking Linux Systems
Chapter 14: Cryptography
Chapter 15: Performing a Penetration Test
Amazon.com
7

Class 1: Methodologies and Lab Setup

Class 2: Passive Information Gathering

Class 3: Active Information Gathering (Nessus)

Class 4: Wireless and Wired Network Enumeration

Class 5: Target System Penetration

Class 6: Privilege Escalation, Maintaining Access, and Malware

Class 7: Web Application Penetration

Class 8: Covering Tracks, IDS, Reporting, and Cleanup

Class 9: Metasploit

Class 10: Physical Security (Lock Picking etc.)

Class 11: Capture the Flag
8

Active Information Gathering
 Ping
 Port Scan
 Operating System Fingerprinting
 Intrusion Detection Systems

Exercises
9
DO NOT perform any activities from this
course on any network/system or on a network
connected device without proper permission!
Make sure you have written permission and authorization to conduct these
activities on any system. Conducting any activities related to penetration testing
requires the consent of the owner of the target system and the internet service
provider. Failure to obtain consent in the form of a legal contract can result in
fines and imprisonment.
10
Information Systems Security Assessment Framework (ISSAF)
11
 Critical Services
 Key Employees
 Partner Companies
 Company Website, IP and email addresses
 Physical address and location
 Domain names
 Types of operating systems, databases, servers, protocols, and
programming languages used (basic)
12

The process of searching for information that an attacker could
potentially use to exploit the target network
 Identify live systems
 Map the network
 Types of operating systems, databases, servers, protocols, and
programming languages used (in-depth)
 Identify system vulnerabilities
13

More information about the target can make the penetration
test easier during the later phases
◦ “Know your enemies and know yourself, you will not be imperiled in a
hundred battles.” –Sun Tzu, Art of War


“Generally, a hacker spends 90 percent of the time profiling
and gathering information on a target and 10 percent of the
time launching the attack.” -Kimberly Graves
“Good hackers will spend 90 – 95 percent of their time
gathering information for an attack.” -Walker
14

Timing the Attack
◦ Example around patch releases Microsoft Patch Tuesday or Oracle CPU
etc.
◦ Off hours such as holidays, vacations, or peak hours
15

Active
◦ Touch the device/network or talk to employees (vulnerability scan)

Passive
◦ Do not communicate/touch the target such as google searching for
publicly available information.
16


Internet Control Message Protocol (ICMP) is the part
of the TCP/IP protocol suite used to send error
messages for network diagnostics
Ping is the most common type of ICMP message
 Used to verify network connectivity
 Sends an echo request to a system and waits for an echo
response (only active systems respond)
 Cannot show which services a system is running
17
Active system
response
Inactive system
response
 Question: What does
this image tell you?
1) System is down
2) Or Blocked
18
Build Your Own Security Lab
19


Command-line pinging only allows one system to be pinged at a time
Use a ping sweep to scan a large number of systems
 SuperScan
 Angry IP Scanner
 Nmap

Nmap’s –sn option uses ping and TCP packets to find live hosts
20


Many administrators block ping from passing the gateway
device
Ensure blocked activity is logged/notifications
◦ Configure rules, test, and monitor
alert tcp any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg: "TCP ping detected";)

Disable running services to prevent ping from identifying
active systems
 Shields Up is a scan that will show what ports and services are open on a
local machine
 Netstat
 Currports
21
22
23
24

Port Scanning
◦ Determine Open Ports and Services

Network Scanning
◦ Identify IP address on a network/subnet

Vulnerability Scanning
◦ Discover weaknesses on target systems
25



Do not scan without permission!
Can cause a DOS attack and go to Jail.
ISP might drop your scanning attempts and/or blacklist you
26

Kimberly Graves CEH Book
27

Determine when to scan
◦ Don’t risk discovery if you already know the host is easy to hack
◦ If a specific host is well guarded, opt for a less guarded host or
implement a different strategy such as social engineering
28

Port scanning probes the 65,535 TCP and UDP ports to
discover listening services on a target system
 An attacker can determine the best means of attacking a system by
knowing the open services and version numbers

Most scans only look at first 1024 ports since those ports are
often hacked







FTP (20/21)
Telnet (23)
SMTP (25)
DNS (53)
TFTP (69)
HTTP (80)
SNMP (161/162)
29

Malicious software default ports
◦
◦
◦
◦

port 1095 Remote Administration Tool – RAT
port 7777 Tini
port 31335 Trinoo
port 31337 Back Orifice
Weak protocol ports
 FTP (20/21)
 Telnet (23)

Common Windows ports
30

Common Linux software based ports

Common Apple Used Ports:

Look for software that only runs on a specific O/S
31






Open – accepting incoming requests
Closed – accessible but no application listening on it
Filtered – firewall screening the port
Unfiltered – determined to be closed, no firewall
Open | Filtered – unsure if open or filtered
Closed | Filtered – unsure if closed or filtered
32


Applications use TCP/UDP ports to use the correct protocols
for network communication
TCP uses a three-step handshake to open a data link and a
four-step shutdown to close the link
 A one-byte flag field controls communication (URG, ACK, PSH, RST,
SYN, FIN)
 Nmap manipulates the flags to identify active systems

UDP does not use handshaking, so it is faster but less reliable
and easier to spoof. “Fire and Forget”
33
SYN
Sequence # 110 (+1)
Startup
Process
SYN ACK
(Your) Sequence # 111
(My) Sequence # 225 (+1)
ACK
(Your) Sequence # 226
(My) Sequence # 111
Data
FIN
Sequence # 310 (+1)
Shutdown
Process
ACK
(Your) Sequence # 311
FIN
(My) Sequence # 415 (+1)
ACK
(Your) Sequence # 416
34
35






SYN –Initiates connection b/w hosts
ACK – Established connection b/w hosts
PSH –System is forwarding buffered data
URG –Data in packets processed quickly
FIN –No more transmissions
RST –Resets the connection
36

All scans will display RST for closed ports, except for an ACK
scan which will return no response.
37


RPC scan: determine if open ports are RPC ports
Idle scan: use idle host to bounce packets and make the scan harder to trace
Closed Port Idle Scan
Open Port Idle Scan
IPID Probe
IPID Probe
Attacker
SYN
IPID Response
IPID = 12347
12345
Idle Host
SYN/
ACK
Attacker
IPID Response
IPID = 12345
12346
SYN
Idle Host
RST
RST
IPID = 12346
Victim
Victim
38

GUI-based
 Nmap, SuperScan

Command line-based
 Nmap, hping2

Nmap is an open source network mapping and security
auditing tool that modifies IP packets to gain information
about active systems
39

Basic scan options:
 -sS (TCP SYN)
 -sT (TCP Full)
TCP Full Connect
Example
40

Nmap switches:
Ping
options
Scan
Types
Output
Scan
Speed
41


The free cross-platform Nmap GUI
Additional features:





Save scan results
Save scan options for repetitive scans
Sort scans by host, port, and service
Display scan results in a more user-friendly format
Display a visual interpretation of traceroute
42
Nmap.org
root@bt:~# hping2 --scan 1-445 -S localhost
Scanning localhost (127.0.0.1), port 1-445
445 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+
|port| serv name | flags |ttl| id | win |
+----+-----------+---------+---+-----+-----+
111 sunrpc : .S..A... 64 0 32792
All replies received. Done.
Not responding ports:
43

Only keep necessary ports open
 Periodically check for open ports and close unused ports
 Employee policies, training, and rules of behavior



Filter traffic through a stateful inspection firewall
IDS
Change service banners so that they return incorrect information
44


Find high value targets and or weak targets
Actively modify and send IP packets to the target to elicit a
response that can identify the host operating system
 FIN probe, ACK value, Bogus Flag probe



More accurately determine the target OS
Nmap’s –O and xprobe2’s listening mode can actively identify
operating systems
The target computer can more easily detect active OS
fingerprinting scans
45

Stealthier by examining traffic on the network
 Sniffing vs. Scanning

Less accurate
46

The -O option will try to match response packets to a database
of known operating system fingerprints
 Nmap’s -sV option can identify service banners on open ports

Limiters to speed up scans:
 -osscan-limit
 -max-os-tries
47



Block unneeded or suspicious traffic at the firewall
Use an Intrusion Detection System (IDS)
Set access control lists (ACL) on routers to block
suspicious traffic
48
 Intrusion detection systems (IDSs):
 Inspect network/host activity
 Identify suspicious traffic and anomalies
 Snort, Suricata

Two categories of IDS:
 Network-based intrusion detection systems
 Host-based intrusion detection systems

IDSs are usually made of multiple software applications and/or hardware
devices with the following systems





Network sensors
Central monitoring system
Report analysis
Database and storage components
Response box
49

Types of intrusion detection system engines or methods:
 Signature-based
 Anomaly-based
Signature-based
Database of
attack
signatures
Anomaly-based
If matched
Current
Activity
Pattern
matching
Generate and
report alert
Historical
data
Learn and
update normal
activities
If characteristic
Current data
Compare with
normal
activities
Generate
and report
alert
If uncharacteristic
50
Tool
Ping
Sweep
Port
Scan
Passive
OS
Active
OS

SuperScan



Win
Angry IP Scanner



Win/Linux



p0f
xprobe2



Host OS

THC-Amap

Command
Line
Nmap
TCPTraceroute

GUI
Win/Linux

Linux

Linux

Win/Linux

Linux
51

Useful information to prepare for social engineering





Debt (payoff)
Disgruntled (layoffs from Mergers)
Vacations
Embarrassing information (blackmail)
How to get this information:
 Run a credit report (illegal without permission)
 Find out via facebook status etc.
 Bugs/Cameras/Spies/Stakeout/Pick Pocket
52

Kevin Mitnick – Father of social engineering
◦ At age 12, socially engineered bus driver to circumvent the punch card
system for LA buses
◦ Went on to hacking phones, systems etc. and was captured and put in
solitary confinement due to fears that he could launch a nuclear missile
by whistling into a phone
53

Wardriving – driving around a target with special equipment to
record information about WAPs
 Equipment: laptop with a wireless network interface controller, GPS device,
antennae and network discovery tools (Kismet)


Warwalking – walking around or sitting near a target with a laptop
and other equipment in a backpack
Warflying
54

Sniff Traffic on the WLAN for




Operating Systems
Ports/Services Information
Passwords
Misc Sensitive Information
55
Kismet UI Main View


Dial every number until find an unsecured modem
Still a problem
◦ Modem backup connection
◦ Old and never retired


Tools THC-Scan, PhoneSweep, and Telesweep
Prevention
◦
◦
◦
◦
No Modem Policy
Strong Passwords
Test for Modems using tools
Look for Modems (desk to desk checks)
56

Proxies
◦ The proxy is seen as performing bad activities instead of you
◦ Free proxies are available to use such as ProxyChains
◦ Anonymizer
 Caution: choose the right one, Anonymouse.org
 Useful for blocked sites
57

Spoofing IP Address
◦ Nmap can spoof IP
◦ Caution: the data you want will go to the spoofed IP instead of you

The Onion Routing (TOR)
◦ Anyone can be a TOR endpoint +/◦ Client bounces internet request via random TOR clients


Tunneling
Hiding Files
58

You should now know specific information about the target
system(s)
By knowing the active devices, open ports, running services,
and device operating system, you can search for vulnerabilities
to exploit and use the listening services to gain more
information
Next class: Enumerating Target Systems

Questions?


59


Lab setup
Exercises
◦
◦
◦
◦
◦
◦
◦
Ping sweep
Port scan
Banner grabbing
Passive OS identification
Active OS identification
Manual vulnerability identification
Automated vulnerability identification (Nessus)
61
Host Operating System = Ubuntu (Linux)
Virtual Machine = Virtual Box
VM’s = Backtrack, Windows (Guest PC and XP-1), badstore
Each laptop has its own separate standalone lab environment
How to start the lab environment…
1) Open Virtual Box
2) Ensure that the Backtrack VM is powered on
3) Logon to Backtrack (root/toor) and type startx
4) Set the static IP address (.100)
5) Ensure that the badstore VM has the badstore CD mounted
and then start the VM
6) Configure the badstore VM IP address via the following
command:
ifconfig eth0 up 10.0.2.200 netmask 255.255.255.0
62

In the following Scenario, you will need to gather as much
information about your target as possible that can be used in
planning the attack.

Your target is example.com. The company has hired you to confirm
that there security awareness programs and policies are working as
intended. In other words, they want you to confirm that employees
do not open unnecessary ports /services or use unapproved software
which increases the attack surface of the company.
63
1.
2.
We are going to do a ping sweep of the local subnet. Open a
command line terminal in BackTrack
Type nmap –sn 10.0.2.0/24 to perform a ping sweep
over a range of IP addresses

3.
List the IP addresses of running hosts
Type nmap -sn --send-ip 10.0.2.15 to run the ping scan
using ICMP ping.
List the IP addresses of running hosts, has the number changed? If so,
why?
Open another command line terminal and type wireshark
Use the file menu to open a pcap file,
FileOpenDesktopLab3ping-blocked-pcap
Review the pcap and note that ping is blocked

4.
5.
6.
64
7.
Use the file menu to open additional pcap files,
FileOpenDesktopLab3ping-blocked-pcap
FileOpenDesktopLab3ping-allowed-timestamp-allowedpcap
FileOpenDesktopLab3 ping-blocked-timestamp-allowedpcap
8.
Review and compare the pcap files
65
1.
We are going to do a ping sweep of the local subnet. Open
the super scan folder on Guest PC, C:\lab-tools\superscan

2.
Run superscan  SuperScan4.exe
Type the start IP (10.0.2.0) and end IP (10.0.2.254) and press
the arrow button.



From the “Host and Services Discovery Tab” uncheck “UDP port
scan” and “TCP port scan”
Then press the play button to perform a ping sweep over a range of IP
addresses
List the IP addresses of running hosts
66
3.
Now try the same IP range again but with the following
settings



From the “Scan Options” Tab, uncheck “hide systems with no open
ports” and rerun the scan
Note the number of systems now and the information provided
View the final scan via the “view html results” button
67

Note windows XP/Vista limitations
68
1.
2.
3.
4.
We are going to do a ping sweep of the local subnet. Open
angryip from the Guest PC. Navigate to c:\labtools\angryip, run the .exe file
Type the IP range
From the file menu select toolspreferences, on the
“scanning” tab check “scan dead hosts”
Press the start button to perform a ping sweep over a range of
IP addresses

List the IP addresses of running hosts and note the duration of the
scan and compare it to the nmap scan.
69
1.
2.
We are going to do a ping sweep of the local subnet. Open
zenmap via the Backtrack command terminal: zenmap
Type the subnet to scan 10.0.2.0/24 and choose the ping
scan profile and then press scan to perform a ping sweep
over a range of IP addresses


List the IP addresses of running hosts
Press ctrl+p or from the menuprofilenew profile, review the
options and note the hints for each option
70
1.
2.
We are going to do a ping sweep of the local subnet. Open
nessus via the “Nessus Client” shortcut on the Guest PC
desktop. (username = visitor, password= qwerty)
From the scan tab, launch the “host discovery” scan to
perform a ping sweep over a range of IP addresses




List the IP addresses of running hosts
Review the scan results
Open My Documents and then open the pcap files to compare the
pcap of nmap host discovery vs nessus host discovery pcap
Which pcap is larger and nosier?
71
1.
2.
3.
Now that we know what hosts are running, we can port scan
them. Open a command line terminal in BackTrack
Type nmap and hit Enter to view a list of options
Type nmap –sT your_target_IP_address to perform an
Nmap full connect scan



4.
List the open ports and services
Can you guess the OS from the services?
Use –vv to increase the verbosity of the scan output
Run the other Nmap scan options and note new information
 -sS, -sA, -sF, -sV
 Save scan results using –oN and –oX
72
1.
2.
3.
Now that we know what hosts are running, we can port scan
them. Open a command line terminal in BackTrack
Type wireshark and hit Enter
Use the file menu to open additional pcap files,
FileOpenDesktopLab3tcp-connection-example
Note the three step handshake capture in the pcap.
73
1.
2.
3.
Open Nessus, and from the “scan” tab luanch the port scan
Review the scan results and note the open ports
Review the scan policy and note the difference between the
host discovery and port scan policies
74
1.
2.
3.
4.
5.
6.
Run CurrPorts C:\lab-tools\currports\cports.exe
CurrPorts will run immediately and will display all ports on
your machine
Select a port and to to FileProperites. Review the process
ID, port number, and other info.
You can close a suspicious connection via FileClose
Selected TCP Connections.
Ensure that XP-1 host is up. From Guest PC, open a
command terminal and type: telnet 10.0.2.60 23
Refresh CurrPorts, and note the suspicious telnet connection.
Follow step 4 above to close the connection.
75
1.
2.
From the Guest PC command prompt type netstat /? And
review the help file
Type netstat –a –p tcp 10



List the open ports and services and compare to the nmap/nessus
results
(optional) Ensure that XP-1 host is up. From Guest PC, open a
command terminal and type: telnet 10.0.2.60 23
(optional) Review the netstat command and note the telnet connection
76
1.
2.
We will now try to gain some information from the services listening on the open ports. Open
a command line terminal in BackTrack
You will now use the vi text editor to write a simple text file containing some HTTP
commands
1. Type vi head.txt to open a new text file called “head.txt” and hit i to insert text
2. Type the following:
GET HEAD / 1.0
CR
CR
3. Hit Esc to stop inserting text, then hit Shift+z+z to save the file and quit the editor
3.
You will now use netcat to try to gain some information from the open port 80 on the target.
Type nc –vv 192.168.1.180 80 < head.txt
4.
What software and OS is the server running?
77
1.
2.
We will now try to gain some information from the
services listening on the open ports. Open a command
line terminal in BackTrack
Type :
1. telnet 10.0.2.200 80
2. GET HEAD / 1.0
3.
What software and OS is the server running?
78
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
We are going to find out what operating system is running on one of
Google’s servers. Open a command line terminal in BackTrack and
set the DHCP IP address by typing dhclient eth3
Then Type: p0f –A
Open a web browser and go to freebsd.org
 Take note of the output in the terminal window
Hit Ctrl+C to stop running p0f
Open Ettercap by typing ettercap –G and start unified sniffing on
eth3
Navigate to ViewProfiles
Navigate to StartStart Sniffing
Go to freebsd.org again
Take note of the output in the Ettercap window
Compare to http://uptime.netcraft.com/up/graph
79
1.
2.
We are going to perform active OS fingerprinting with Nmap
and xprobe2
Open a command line terminal in BackTrack and type
nmap –O your_target_IP_address (that is a capital O) to
perform an operating system fingerprint
 What is the general OS of the Windows machine?
1.
2.
3.
Now use xprobe2 to perform host discovery.
From backtrack menu, applicationBacktrackInformation
GatheringNetwork AnalysisOS Fingerprintingxprobe2
Type ./xprobe2 your_target_IP_address
 What is the best guess OS of the target?
80
1.
2.
We are going to perform active OS fingerprinting with Nessus.
From the scan tab, launch the “OS Discovery Scan”
 Review the results and note which plugin is used for OS discovery
 Compare the OS results to the NMAP results
 Review the scan policy to see how OS discovery is enabled
81
1.
2.
3.
From a command line in Backtrack type: wireshark
Sniff traffic on eth3
Open a command line terminal in BackTrack and type
nmap -S 10.0.2.60 -e eth3 10.0.2.15
 Note that the responses do not go to your machine
 Note that a spoofed IP can be used to frame a competing company and
not just to hide your identify
 Note the source address and target address in the pcap
Type wireshark and hit Enter
Use the file menu to open additional pcap files,
FileOpenDesktopLab3spoofed-ip-example
82
1.
From the ubuntu machine use the web browser and navigate to
http://anonymouse.org/
 Choose English
 Click on Your Calling Card without Anonymouse and Your Calling
Card with Anonymouse to compare the results.
2.
Enter a website to search anonymously and press the “surf
anonymously” button
83


Review vulnerabilities at US Cert: http://www.uscert.gov/cas/bulletins/ (released every Monday, always one
week behind)
Pick a vulnerability based on OS/Service in the environment
to review and note the following items:
◦ The CVE reference number
◦ Impact Scores (the higher the score the greater the impact)
◦ Vulnerable Versions
84

Use Hackerstorm to review vulnerabilities
◦ Go to http://www.hackerstorm.com/start.html to start the OSVDB
hackerstorm tool
◦ Click the OSVDB search button at the bottom of the home screen.
Scroll through the vendors and choose Putty, and then click the view
button.
◦ From the next screen choose view all. Review the vulnerabilities listed
and click one to view details. From the tool you can see the description,
solution, references, etc.
◦ Note that this tool make it easy to search for vulnerabilities both old and
new by vendor etc.
85

From the Nessus scan tab, launch the “Internal Network Scan”
◦ Review the scan results and look for vulnerabilities that are exploitable
◦ Review the and investigate patches that can be applied to fix an
exploitable vulnerability
◦ Review the vulnerability via US CERT
86














http://www.dc-cybersecurity.com/
http://www.amazon.com/Certified-Ethical-Hacker-All-Guide/dp/0071772294
http://www.amazon.com/Certified-Ethical-Hacker-StudyGuide/dp/0470525207/ref=sr_1_1?s=books&ie=UTF8&qid=1323531433&sr=1-1
http://www.amazon.com/Build-Your-Own-SecurityLab/dp/0470179864/ref=sr_1_1?s=books&ie=UTF8&qid=1323535901&sr=1-1
http://en.wikipedia.org/wiki/Kevin_Mitnick
Oceans 11 clip: http://www.youtube.com/watch?v=Shg__OqtEwY
http://www.independent.co.uk/news/uk/this-britain/rafs-wartime-reconnaissancephotos-go-online-in-new-archive-1825926.html?action=gallery&ino=6
www.anywho.com
people.yahoo.com
www.zabasearch.com
www.peoplesearchnow.com
www.ZoomInfo.com
www.facebook.com
www.Linkedin.com
87















http://www.backtrack-linux.org/
http://www.de-ice.net/
National Vulnerability Database (nvd.nist.gov)
Exploit-Database (exploit-db.com)
Securitytracker (www.securitytracker.com)
Securiteam (www.securiteam.com)
Hackerstorm Vulnerability Research (www.hackerstorm.com)
Hackerwatch (www.hackerwatch.org)
SecurityFocus (www.securityfocus.com)
Security Magazine (www.securitymagazine.com)
SC Magazine (www.scmagazine.com)
www.myspace.com
http://investigatrixx.wordpress.com/2008/10/03/how-to-conduct-your-own-stake-outsurveillance/
http://www.ehow.com/how_4829346_run-credit-check-somebody.html
http://bobarno.com/thiefhunters/2009/08/atm-credit-card-fraud-sweden/
88
















http://investigatrixx.wordpress.com/2008/10/03/how-to-conduct-your-own-stake-outsurveillance/
http://www.ehow.com/how_4829346_run-credit-check-somebody.html
http://bobarno.com/thiefhunters/2009/08/atm-credit-card-fraud-sweden/
Sarah Palin http://www.youtube.com/watch?v=vgRA8oTk8ig&feature=related
http://www.youtube.com/watch?v=4pnKbibi6QY
http://en.wikipedia.org/wiki/Robin_Sage
http://mirror.anapnea.net/hbgary/aaron_hbgary_com/attachments/5482.pdf
www.wigle.net
http://archives.cnn.com/2002/TECH/internet/08/22/net.internalmemos/
http://wikileaks.org/
http://johnny.ihackstuff.com/ghdb/
http://uptime.netcraft.com/up/graph
www.geektools.com/whois.php
www.arin.net
http://www.us-cert.gov/cas/bulletins/
www.netstumbler.com
89















http://www.hackerstorm.com/start.html
http://www.visualroute.com
http://www.iwebtool.com/link_extractor
http://it.toolbox.com/blogs/managing-infosec/google-hacking-master-list-28302
http://cirt.net/passwords
www.spyfu.com
http://www.zillow.com
http://www.google.com/finance
www.Hoovers.com
www.Archive.org
http://www.socialengineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Too
lkit_(SET)
www.mailtracker.com
http://www.emailtrackerpro.com/demo.html
http://www.wikihow.com/Dumpster-Dive
www.kismetwireless.net

90

PDF mapping tools to the different phases of Pen testing.

Review the list of tools and pick tools that you know and can
demonstrate or that you would like to learn more about.
CEH Certified Ethical Hacker
All-in-One Exam Guide
Amazon.com
91


Social Engineering Toolkit
Maltego
92
•TBD
93