This 5 day course is designed to be beneficial anyone performing a cyber investigation. Law enforcement and military communities were specifically in mind during the design, however anyone in cyber security, information security, intelligence analysis, corporate security or physical security would benefit. You will learn to use various open-source tools from the Kali.org Linux distribution. You will learn both active and passive methods to gain information on the person(s) of interest. Hands-on labs combined with various hardware demonstrations, give you numerous opportunities to apply what was learned during the lecture. This course is 40% lecture and 60% hands-on
Topics you will cover in this course include:
Best practices to capture network traffic on 802.11 wireless, Bluetooth and ethernet networks. Aircrack, Kismet, tcpdump and Wireshark will be used. Capture filters will be used to narrow the scope of the case.
Capture both the 802.11 or Bluetooth specific headers as will as the TCP/IP protocol headers.
Decrypt WPA2 AES data using EAPOL packets in 802.11 in Wireshark.
Analyze the data using Wireshark. Various statistics and graphing which can be used to isolate connection patterns.
Identify ARP spoofing in Wireshark.
Signature identification and filtering for operating systems and connection establishment with Wireshark.
Extract executables and images from Wireshark.
Active Reconnaissance Wireshark is used during all to aide in the understanding of methods and protocols
Best practices to scan an environment using Nmap and Zenmap. From networks down to services on hosts, active scans will be used to gather data.
Use a SOCKS proxy and Tor to anonymize traffic scans.
Transparently intercept SSL/TLS connections via SSLsplit.
Discover the target companys IP netblocks, domain names and DNS record types via DNSRecon, dnsmap, nslookup and dig.
Gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database via theharvester.
Search for potentially sensitive data across the network via smbmap. You will list share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.
Locate UPnP devices, consumer grade access points for example, via Miranda. You will gain fall control over application settings, and enumerate devices and services.
Build a dossier of websites, RDP services, and open VNC servers with header info and default credentials using EyeWitness.
Visualize relationships between the information gathered via CaseFile to create a summary of the data gathered.
If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.