40/2 Pradipat 13 Pradipat SamsenNai Phayathai 10400 Bangkok Tel: 02>2796545 Email: [email protected]http://citecclub.org CITEC Evolution Co., Ltd Company Profile & Services > Company Profile > Our Certification > Penetration Testing and Vulnerability Assessment Service > Software Development > Zero Day IT Security Show > Reputation > Training Service
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
2 . Pene t ra t ion Tes t ing and Vu lne rab i l i t y Assessment Se rv ices (ทดสอบความปลอดภัยและวิเคราะห์ความเสี่ยงของช่องโหว่บนระบบคอมพิวเตอร์และเครือข่าย)
• ควรเรียนคอร์ส Web Application Security และ Introduction to Ethical Hacking มาแล้ว
เป็นคอร์สที่จะปูพื้นฐานเกี่ยวกับการใช้งานระบบปฏิบัติการ Linux รวมไปถึงการใช้งาน Linux เป็น production server
อย่างปลอดภัย นอกจากนั้น ยังครอบคลุมถึงไฟล์ต่างๆ ที่มีความสําคัญบนระบบปฎิบัติการ Linux
ที่ประโยชน์สําหรับผู้โจมตีระบบด้วย
!
!
!
!
!
!
!
!
Course Ou t l i nes
1 . In t roduc t ion to E th ica l Hack ing (ETH)
รายละเอียดหลักสูตรอบรม ระดับเนือ้หา: Basic ระยะเวลาอบรม: 7 ชั่วโมง เนื้อหาหลักสูตร I n t roduc t ion to E th ica l Hack ing
1 . พื้นฐานเกี่ยวกับด้านความปลอดภัย (Ma in Focus O f Secur i t y )
ความปลอดภัยทางด้านกายภาพ ความปลอดภัยทางด้านการทํางาน ความปลอดภัยทางด้านการจัดการ 2 . ปัจจัยสําคัญของความปลอดภัย (T r i ang le O f Secur i t y )
ความลับ (Confidentiality) ความถูกต้อง (Integrity) ความพร้อมใช ้(Availability) ความรับผิดชอบ (Accountability) 3 . เป้าหมายของความปลอดภัย (Goa l O f Secur i t y )
การป้องกัน (Prevention) การตรวจจับ (Detection) การตอบโต้ (Response) 4 . เป้าหมายของการโจมตี (Goa l O f Hack ing )
การเข้าถึง (Access Attack) การแก้ไขข้อมูล (Modification And Repudiation) การหยุดการให้บริการ (Denial Of Services) 5 . ชนิดการโจมตีที่เป็นที่รู้จัก (Recogn iz ing Common A t tacks )
การทําการสร้าง backdoor (Backdoor Attack) การปลอมแปลง (Spoofing Attack) การส่งซ้ํา (Replay Attack) การดักจับข้อมูล (Sniffing Attack) การโจมตีช่องโหว่ของซอฟร์แวร์ (Software Exploitation) การทายรหัสผ่าน (Password-Guesting Attack) 6 . อะไรคือ Back t rack (Wha t i s Back t rack ) 7
7 . การทดสอบเจาะระบบ (Ph rase O f Pene t ra t i on Tes t ing ) 78 . การสอดส่องและการค้นหาแบบร่างของระบบ(Reconna issance & Foo tp r in t i ng )
TCP Connection Scanning SYN Scanning UDP Scanning FIN Scanning XMAS Scanning NULL Scanning 12 . การถอดรหัส(Password Crack ing ) 713 . การดักจับข้อมูล(Sn i f f i ng ) 714 . การดักข้อมูลตรงกลางระหว่าง Cl ien t & Se rve r (Man- In -The -M idd le ) 715 . การทำ Soc ia l Eng inee r ing
เครื่องมือที่ท่านจะได้ทดลองใช ้
เครื่องมือ Backtrack OS เครื่องมือการสอดส่อง (Reconnaissance & Footprinting) เครื่องมือการตรวจสอบค้นหา (Scanning) เครื่องมือการถอดรหัส (Password Cracking) เครื่องมือการดักจับข้อมูล (Sniffing) เครื่องมือการดักข้อมูลตรงกลางระหว่าง Client & Server (Man-In-The-Middle) เครื่องมือการทํา Social Engineering
2 . Web App l ica t ion In Secur i t y 101 (WAS101) รายละเอียดหลักสูตรอบรม
• ควรมีพื้นฐานด้าน Web Programming เช่น PHP, ASP หรือ Linux/Unix จะดีมาก
เนื้อหาที่ทําการอบรม
1 . I n t roduc t ion to Web App l ica t i on Secur i t y
• The Evolution of Web Applications • Defense Mechanisms • Web Application Technologies • Web Proxy with Tor • Open Web Application Security Project
2 . D iscove ry and Iden t i f y ing the Web App l ica t i on
• Mapping the Application • Web Spidering and Crawling • Discovering Paths and Files • Discovering Hidden content and parameter • Bypass Client-Side Controls
3 . Web App l ica t i on Vu lne rab i l i t i es
• Cross Site Scripting (XSS) • SQL Injection Flaws • Malicious File Execution • Insecure Direct Object Reference • Information Leakage and Improper Error Handling • Broken Access Control • Broken Authentication and Session Management • Insecure Cryptographic Storage • Ajax and Web Service Vulnerabilities
4 . Exp lo i t Web App l ica t i on
• Fuzzing Web Application • Using Web Exploit from Milw0rm • LFI to RCE Exploit • Writing LFI <> RCE Exploit with Perl Script • How to Protect File Inclusion
5 . Web Serve r Vu lne rab i l i t i es
• Vulnerable Web Server Configuration • Directory Listings • Dangerous HTTP Methods • Buffer Overflow Vulnerabilities • Path Traversal Vulnerabilities
6 . Goog le Hack ing
• Introduction to Google Hacking • Google Hacking Database (GHDB) • Google Hacking Basic / Advance Operator • Locating Exploits and Finding Targets • Tracking Down Web Servers, Login Portals, etc • Dirty Attack using Googlebot • Google Hacking Tools • How to Protect Google Hacking
7 . F ind ing Bugs in Sou rce Code
• Introduction to CMS • Exploits and Vulnerabilities Disclosure • Case Study For Find Bugs • How to Protect CMS Hacking • Tool for Automate Soure Code Review
8 . Web App l ica t i on Hacker ' s Too lk i t
• Web Browser and OS for Hacker • Integrated Testing Suites • Vulnerabilities Scanners
Introduction to Penetration Tester Black-Hat versus Penetration Tester Windows versus Unix/Linux Anatomy of a Hack
Advanced NMAP for Penetration Testing What's NMAP Command for Port Scanning Command for Pen-Test Automate NMAP with NSE (NMAP Script Engine) Break The system without Exploitation Introduction VA/PEN Tools VA using Nessus PEN using Metasploit Core Impact and CANVAS Automate Pen-Test with Opensource Tool
Mastering in Metasploit Framework Outstanding in Metasploit (What/How/Get) Advanced Metasploit Technique Exploit the Windows 2000 / XP2 / 2003 Exploit the Windows Vista / 2008 / Seven Client-Side Exploitation Vulnerability Assessment and Penetration Testing Automation Using Nexpose+Metasploit Requirement: 7- Vmware Workstation 6.5 or newer - Harddisk 30 GB 7- Ram 2 GB
4 . Pene t ra t i on Tes t ing and Inc iden t Response
Module 6: Dealing with Hotspot network (Or any unencrypted networks)
• Understand hotspot architecture • Identify vulnerable point • Various threats against hotspot users • Attacking methods against hotspot users • Consideration of using hotspot network
Module 7: Rouge AP
• What’s rouge AP • How to set up rouge AP • Credential information gathering • Exploit client vulnerability
Module 8: Analyze wireless network
• How to use analyzing tools • How to use tools to understand captured packets
7 . In t roduc t ion to L inux Admin is t ra t ion
รายละเอียดหลักสูตรอบรม ระดับเนือ้หา: Basic ระยะเวลาอบรม: 21 ชั่วโมง(3 วันวันละ 7 ชั่วโมง) โครงสร้างหลักสูตร: 1 . In t roduc t ion to L inux
History Of Linux Compare Unix x Windows Server x Linux Server Distro Of Linux Structure Of Linux 772 .F i l e Sys tem Type
Differential of each file system type(NTFS,EXT3,EXT2) 773 .L inux ins ta l l a t i on (W i th Cen tOS, Ubun tu , RHEL) 7774 .Command fo r use f i l e
edit file(vi) view file(cat , head , tail) modify file(sed , awk) find file or content (find , grep),listfile(ls) 775 .Run Leve l
Meaning of each run level how to config startup run level 7776 .Package O f L inux
package(rpm,deb) command for install package(aptitude , yum) how to configure repository how to remove package how to compile package 777 .Type o f Dev ice HDD
SATA,IDE(/dev/sda,/devhda) 778 .Manage User
add / remove user/group modify attribute of user/group 779 .F i l e / D i rec to ry
Permission Of file how to calculate permission number What is link file? how to link File 7710 .Command fo r manage f i l e
change owner or permission of file 7711 .Bas ic Command fo r Ne twork and P rocess
ifconfig , ps , top , netstat , ping ,route , arp , nslookup , traceroute , telnet 7712 .Type O f S t ream Inpu t , Ou tpu t D i rec t ion
how to use input/output redirection(>,>>) 7713 .Send resu l t t o command
| , xargs 7714 .Regu la r Express ion
Basic Regular Expression for character , symbol , number 7715 .She l l Sc r ip t
How to write shell script and syntax of shell script 7716 .Au tomat ic schedu le command
crontab 7717 .Moun t ing Po in t
Type Of Mounting Setting Of Mouting(/etc/fstab) mount command 7718 .LVM( log ica l Vo lume Managemen t )
What is LVM how to install lvm how to add/remove disk from lvm 7719 .RA ID(Redundan t A r ray o f Independen t D isks )
What is RAID Type of RAID how to setup software RAID 7720 .SSH
What is ssh how to setup ssh how to config ssh how to transfer file via ssh 7721 .Cac t i
What is Cacti How to setup host for monitoring with cacti Monitoring Server with cacti 22 . Bas ic L inux Harden ing 23 . Log Ana lys i s
Por t fo l i o Figure 1: Interviewed with Kaosam-Miti at CH3 about LINE application chat sniffing
2014- Current: Please learn more info at http://citecclub.org/gallery 2013
No. Date Company/Organization Description 1 Jan – June DSI, Police, NIA, MICT, Thai Military Cyber Crime Investigation Training 2 25 Sep Ministry of Commerce IT Security Consulting 3 15 Sep Various Companies Mastering In Exploitation 4 14 Sep Various Companies Introduction to Ethical Hacking 5 29 Aug King Mongkut’s Institute of Technology
Ladkrabang IT Security Topic at IT Openhouse’s event
6 27 July: Various Companies Introduction to Ethical Hacking 7 28 July: Various Companies Mastering In Exploitation Trainer 8 10-14
June: Defense Information and Space
Technology Department International Cyber Defense Workshop
9 28-31 May Ministry Information and Communication Technology
Cyber Crime Investigation Organizer #3
10 8-10 May for Ministry of Defense Offensive Security Training 11 22-26 April Ministry Information and
Communication Technology Cyber Crime Investigation Trainer #2
12 21-25 April King Mongkut’s Institute of Technology Ladkrabang
Special Speaker for CSCamp
13 1-5 April: Ministry Information and Communication Technology
Cyber Crime Investigation Training #1
14 31 Jan Junsakem University Special Speaker 15 24 Jan King Mongkut’s Institute of Technology
Ladkrabang Special Speaker for IDAY’s event
16 19-20 Various Companies Ethical Hacking + Mastering In Exploiation Workshop 17 12-13 Jan Various Companies C++ Programming Workshop
2012
No. Date Company/Organization Description 1 8-9 Dec Kasetsart University Ethical Hacking + Mastering In Exploitation Workshop 2 3-7 Dec Kasetsart University, Carnegie Mellon International Cyber Security Workshop (ICDW #1) by US
Army 3 29-30 Nov Defense Information and Space
Technology Department NCSC 2012 Participation
4 E-CQurity Co., Ltd Computer Security Training 5 20 Sep 3BB Broad Band Plc Computer Security Training 6 18 Sep King Mongkut’s University of North
Bangkok Study Guidance for Computer Science student
7 22 Aug King Mongkut’s University of North Bangkok
Guest Speaker about "Computer Security Awareness”
8 1 Aug Rajamongkol Pranakorn University Guest Speaker about "Computer Security Awareness” 9 24 July: National Research Council of Thailand Guest Speaker about "Cyber Security Research" 10 4-8 June: Kasetsart University, Carnegie Mellon International Cyber Security Workshop (ICDW #1) by US
Army 11 2-4 June King Mongkut’s University of
Technology Thonburi Young Whitehat Hacker Camp 2012
12 5,12 May Index Creative Online iOS Programming Workshop 13 28-29
April: Index Creative Online iOS Programming Workshop
14 28 Jan: Khunatee School Bangkok Guest Speaker at Parent Meeting 15 21 Jan: Kasetsart Sriracha Campus Guest Speak for Network Security Day 2012 16 7-8 Jan The Board of Investment of Thailand:
No. Date Company/Organization Description 1 8-9 Dec Kasetsart University Ethical Hacking + Mastering In Exploitation Workshop 2 28 Dec Mahidol University Speak at CITEC-Live #9 3 18 Sep Kasetsart University Speak at Barcamp Bangkhen 4 20 Aug Kasetsart University Ethical Hacking Workshop 5 21 Aug Faculty of Computer Engineering
King Mongkut’s University of Technology Thonburi
Mastering In Exploitation Workshop
6 27-28 Aug Faculty of Computer Engineering King Mongkut’s University of
Technology Thonburi
Web Application In Security Workshop
7 11 Aug: Roi-Et Wittayalai School. Study Guidance 8 5 Aug: Thai Nichi Institute of Technology Hacker Secret 2011. 9 1 July King Mongkut’s University of
10 20 May ICT, DSI, Police, NIA (สํานักข่าวกรอง) Computer Security Workshop 11 Feb-Mar University of the Thai Chamber of
Commerce Teaching Computer Security subject for CPE Student
12 2 April King Mongkut’s University of Technology Thonburi
Best Alumni student award (on behalf of CS02)
13 19-20 Feb Krasetsart University Web Application In Security Workshop 14 12 Feb: Krasetsart University Mastering In Exploitation Workshop 15 3 Feb: Rachabhat Suan Dusit University Special Speaker of Sec2U (Security to University) #4 16 31 Jan King Monkut's Institute of North
Bangkok (Prajean Buri) Special Speaker of Sec2U (Security to University) #3 at
17 12 Jan Computer Science and Computer Engineering at Khonkean University
Special Speaker of Sec2U (Security to University)
2010
No. Date Company/Organization Description 1 2 Dec: King Mongkut's Institute of Technology
Ladkrabang Special Speaker of Sec2U (Security to University) #1 @
Computer Science 2 28 Nov University of the Thai Chamber of
Commerce CITEC-CON #3
3 27 Nov University of the Thai Chamber of Commerce
The Hacker's Secret
4 23 Oct Sripratum University Speaker at Barcamp Bangkok #4 5 16 Oct Kasetsart University. Speaker at Barcamp Bangkhen 6 Aug – Dec European Union European Union’s website development. 7 27 Aug Junkasem University Special Speaker in Computer Security Topic 8 26 Aug King Mongkut's Institute of Technology
Ladkrabang Competition consultant of The network security
competition 9 8,15,20
Feb University of the Thai Chamber of
Commerce E-commerce course for marketing student
2009
No. Date Company/Organization Description 1 12, 22 Dec
2009 5, 12 Jan 2010
Thammasart University Special Lecturer for Advanced Operating System course for Computer Science student
2 1 Nov Kieatipong Mansion / Place. Internet Gateway implementer 3 16 Nov: Kasetsart University (Sriracha) Special Speaker of Network Security Day #2 4 28 Aug King Mongkut's Institute of Technology
Ladkrabang Hacking Competition for IT Day
5 8-9 Aug: University of the Thai Chamber of Commerce
June: Various Company/Organization Reverse Code Engineering #1 at Mahanakorn Yipsum
Bld 8 22-23 May Sripatum University Speaker of Barcamp BKK #3 9 2 May Sripatum University Wireless Network (In) Security 101 #1 10 21-22 Mar Sripatum University Web Application (In) Security 101 #2 11 28 Feb Chulalongkorn University Special Speaker of Think Camp 12 31 Jan - 1
Feb Various Company/Organization Web Application (In) Security 101 Mahanakorn Yipsum
Bld
2008
• 18 Dec: Google Adsense topic at Kasembundit (Pattankarn) University
• 16 Nov: Head organizer and speaker at CITEC-CON #2 at Mahanakorn Yipsum Bld
• 17 Aug: Special Speaker at Network Security Day 2008 KU Sriracha