图版好读版： https://hackercat.org/pentesting/ec-council-ecsa-v10-experience 今日下午成功取得ECSA认证，打铁趁热，来分享一下心得， 因为把心得与技术分享合在同篇文章，所以内容很长。 会对资安有兴趣的不少人其实是想成为骇客，像是我自己也是， 当然骇客也有白帽与黑帽，这边就不多解释了。 进来这个领域之後如果是对骇客攻击手法有兴趣的新手， 可能很快就会听说「渗透测试」这个词汇， 那可能就会朝着向渗透测试的方向学习。 而ECSA这个认证正是EC-Council这个组织中针对渗透测试的认证之一。 英文全名为EC-Council Certified Security Analyst (ECSA): Penetration Testing 中文的话，以恒逸开课名称为例，为EC-Council ECSA资安分析专家认证课程。 此认证的内容包含资安分析与渗透测试的理论、技巧、方法与工具、执行完整的资讯安全 测试， 藉由此课程协助您设计出安全的资讯系统来防御骇客与恶意人士的攻击， 再经由渗透测试工具的执行演练，建立风险分析与备援计画，确保资讯系统的安全与强度 。 (此段内容为引述恒逸官网) 这边我想特别强调的是， ECSA是EC-Council中针对渗透测试的认证之一， 但是CEH并不是针对渗透测试的认证！ 我没有任何要贬低CEH或是抬高ECSA身价的意思， 我想我想表达的不是程度上困难上差异的问题， 而是CEH一直以来都并非针对渗透测试的课程与认证， 只是在资讯圈偶然发现有人会认为， 「要做渗透测试必须要有CEH」或是「想学渗透测试要上CEH」， 首先以性质来说，CEH就不是一个针对渗透测试的课程与认证， 再来呢，有无取得执照认证，与技术能力其实又是另一个话题了。 还有两件事情，第一是EC-Council是有建议的考试顺序，可以参考下图： 第二就是，这个ECSA认证，明年五月过後好像就考不到了XD -- 考试动机与报名课程 再接下去谈准备的历程前，首先我必须先说明， 自己目前工作内容即为渗透测试， 所以对於渗透测试的理论、技巧、工具其实都有基础。 这次报名ECSA的动机其实主要是为了让履历好看的一点， 再来也是希望可以让自己的技术精益求精，更上层楼， 还有就是因为身边很多朋友报名了，价格又挺优惠， 就一股冲动刷卡刷下去了。(虽然优惠价比原价低很多，还是很痛心QQ) 课程是上恒逸开的课，讲师为Vincent唐任威老师， 这边不是客套，也没有任何要业配的意思， （拜托恒逸可以考虑斗内我，我也可以业配XDDDD） Vincent讲课真的是不错，内容丰富也不会太无聊， 并非仅针对考试与教材内容照本宣科进行单调的上课， 也会将课程内容带入实际上业界中资人员们所会遇到的情况说明。 课堂中都会有一些实作练习，若有问题则可以随时提问。 不过可惜的是，如同前面讲到我平常就在做渗透测试了， 所以课堂中约莫5~6成内容都是我已经会的，甚至已经熟悉的了。 但是仍然还是有学习到更多的手法与知识观念。 ECSA课程内容课程总共12个章节，钜细靡遗从情蒐至後渗透讲述各项渗透测试知识。 Introduction to Penetration Testing and Methodologies(渗透测试介绍) Penetration Testing Scoping and Engagement Methodology(渗透测试范畴与缔约) Open-Source Intelligence(OSINT)Methodology(情蒐) Social Engineering Penetration Testing Methodology(社交工程) Network Penetration Testing Methodology-External(外网渗透测试) Network Penetration Testing Methodology-Internal(内网渗透测试) Network Penetration Testing Methodology-Perimeter Devices(网路周边装置渗透测试 ) Web Application Penetration Testing Methodology(网站程式渗透测试方法) Database Penetration Testing Methodology(资料库渗透测试方法) Wireless Network Penetration Testing Methodology(无线网路渗透测试方法) Cloud Penetration Testing Methodology(云端渗透测试方法) Reports Writing and Post Test Action(撰写报告与测试後续动作) 准备历程与考试心得 我是九月份开始上课，共总上五堂课，11/1为最後一堂课， 每次上课都很认真，有作笔记也有尽量完成课堂中的练习。 课程结束之後，一直到12月初才开始准备， 12/20考试，总共准备时间为14天。 准备方法为每天看1~2个章节，8天的时间把12个章节看完一遍。 题目的部分，从第4天开始一直到考试前每天都会看「练习题」， 「练习题」一定要看熟！我这次考试的命中率绝对有7~8成以上， 可是有几点要注意的是， 1.可能有跟「练习题」一样题目，但是选项顺序会改变，甚至选项内容不同XD。 2.考题一定会平均每个章节都有出到，所以建议不要放弃任何章节。 3.「练习题」当中有些答案疑似是「错误的」。最下面会讲我认为的答案。 但这个又必须提一下，以传递正确知识来说有些答案应该是错误的， 但是考试时计分会依照「练习题」的错误答案，又或者是其他答案，我也不知道。 考试题数共150题，都是单选题。 通过的分数是70%，考试时间四个小时。 考试当天记得携带双证件，其中一张要有英文名字， 所以我是拿身分证跟一张有印英文名字的信用卡。 考试时因为可以往回作答，所以我的作法是， 考试一开始就先从第一题开始直接刷到最後一题， 看到确定答案的就答题填送答案， 有犹豫或是不确定就随便选一个先mark跳过， 等写到最後一题再回头一题一题看。 最後总共有近20题是我不太确定的吧， 可能就是二选一，或是讲白话就是乱猜哈哈， 不过最後成绩单是错了11题，所以我的猜运也没很好XD。 最後成绩单会有公布每个章节类型考的题数跟你答对的题目。 题目总共有13个领域，也就是前面提到的12个章节加上PT Essential Concepts， 而我错的11题，有5题都是错在PT Essential Concepts这个部分 XDDD 剩下的六题都很平均的分散在不同章节，每个章节都没有错超过一题以上。 接着不免俗的来晒一下认证通过。 小结一下，这张认证对於想说渗透测试课程的人， 是很不错的课程认证，可以学习EC-Council的渗透测试流程 当然，渗透测试课程认证不只EC-Council有而已， 有兴趣的人也可以参考、比较其他组织单位的渗透测试认证, 再来做评估与考量，选择自己适合或是有兴趣的。 还有顺便强调，对於想真正学会渗透测试的人呢， 光是上完课、看完教材、最後取得认证， 我相信你还是没办法真的算会渗透测试的， 强烈建议想学会渗透测试的，上课的实作练习都要做， 课堂与教材里面的工具都可以玩玩看， 还有课程有提供一个线上的Lab可以实作练习， 这边讲实话，如果想靠这个课程取得认证的也学会渗透测试的话， 在时间压力与效率最大化情况下， 会建议好好看书跟「练习题」，先取得认证，拿到认证之後再玩Lab就可以。 以难度来说，我觉得这张认证要通过的难度不算很高， 但如果并没有资安背景与基础的人， 我认为难度会是满高的，建议有资安基础再来挑战。 -- 技术整理分享 下面是技术面的部份，整理一些重点跟题目答案想法。 *工具 建议需要了解的工具与协定 *Nmap https://nmap.org/book/man-port-scanning-techniques.html Nmap是实务上也很重要与常用的工具．建议多花时间好好了解各项参数用法与原理。 *aircrack-ng http://atic-tw.blogspot.com/search/label/aircrack-ng aircrack系列的工具，可以参考陈明照老师的网站，有足够详细的介绍。 *ICMP http://www.networksorcery.com/enp/protocol/icmp/msg3.htm *sqlmap SQLi自动化测试工具，知道基本常用用法 *法条与法案相关 Police and Justice Act 2006 建立国家警务改进机构的法案；规定警察部队和警察当局以及警察退休金；规定警察的权 力以及社区支助官员，度量衡检查员等的权力和职责；规定向警察和其他人提供死亡登记 簿中包含的信息；为打击犯罪和混乱作进一步规定；就某些视察局作出进一步规定；修改 《 2003年刑事司法法》第12部分；修改《 1990年计算机滥用法》；规定没收儿童的不雅 图片；就与移民和庇护有关的官员行使执法职能方面的规定，向独立警察投诉委员会授予 职能；修改《 2003年引渡法》；进一步规定在刑事诉讼中使用实时链接；并用於连接目 的。 Data Protection Act 1998 《1998年数据保护法案》（简称DPA）是英国一项议会法案。该法案规定了如何处理可识 别身份的在世人士的个人信息，是数据保护管制的主要法规。虽然该法案本身并没有提到 隐私，它的颁布使英国关於个人信息的处理以及此类信息自由流通的相关规定符合1995年 欧盟数据保护指令中对个人的保护所作出的相关指示。在执行上，这项法案让个人有途径 控制与自己有关的信息。该法案的大部分并不是针对家居用途，例如保存一份个人的地址 簿。根据规定，任何人要将个人信息用於其他目的时，都有义务遵循这一法案，但有一些 例外。该法规定了八个数据保护原则，适用於各种情况，以确保信息的依法处理。 1998年法案取代、巩固了先前如《1984年数据保护法》和《1987年查阅个人档案法》等相 关法案。与此同时，它旨在贯彻欧洲数据保护指令。在一些方面中，特别是电子通信和销 售，它已因法律原因被後来的立法细化。 USA Patriot Act 2001 《美国爱国者法》是2001年10月26日由美国总统乔治·沃克·布希签署颁布的国会法。 这个法律以防止恐怖主义的目的，扩张了美国警察机关的权限。根据其内容，警察机关有 权搜索电话、电子邮件通讯、医疗、财务和其他种类的记录；减少对於美国本土外国情报 单位的限制；扩张美国财政部长的权限以控制、管理金融方面的流通活动，特别是针对与 外国人士或政治体有关的金融活动；并加强警察和移民管理单位对於拘留、驱逐被怀疑与 恐怖主义有关的外籍人士的权力。它也延伸了恐怖主义的定义，包括国内恐怖主义，扩大 了警察机关可管理的活动范围。 Human Rights Act 1998 进一步实施《欧洲人权公约》所保障的权利和自由的法令；对成为欧洲人权法院法官的某 些司法机关的负责人做出规定；并用於连接目的。 Gramm-Leach-Bliley Act 《金融服务法现代化法案》（Financial Services Modernization Act of 1999），规定 金融机构确保客户数据安全保密，规定数据必须保存在隐蔽的媒介中，必须采取特定的安 全措施来保护数据存储及传输安全。 随着美国金融业的发展和扩张，1933年的《格拉斯-斯蒂格尔法案》已经成为发展的障碍 。商业银行不满足於低利润的银行零售业，开始向投资银行渗透，很多商业银行都有变相 的投资银行部门。1999年，由柯林顿政府提交监管改革绿皮书(Green Book)，并经美国国 会通过，形成了《金融服务现代化法案》(Financial Services Modernization Act) ， 亦称《格雷姆-里奇-比利雷法案》 (Gramm-Leach-Bliley Act)。 《金融服务现代化法案》废除了1933年制定的《格拉斯-斯蒂格尔法案》有关条款，从法 律上消除了银行、证券、保险机构在业务范围上的边界，结束了美国长达66年之久的金融 分业经营的历史。其结果是商业银行开始同时大规模从事投资银行的活动，如花旗集团（ Citigroup）和摩根大通（JP Morgan）。 Sarbanes-Oxley 2002 《萨班斯・奥克斯利法案》（英语：Sarbanes-Oxley Act），是美国国会根据安隆有限公 司及世界通讯公司等财务欺诈事件破产暴露出来的公司和证券监管问题所立的监管法规， 简称《SOX法案》、《索克思法案》、《塞班斯法案》或《沙宾法案》。 法案全称《2002年上市公司会计改革和投资者保护法案》（Public Company Accounting Reform and Investor Protection Act of 2002），由参议院银行委员会主席萨班斯（ Paul Sarbanes）和众议院金融服务委员会主席迈克·奥克斯利联合提出，又被称作《 2002年萨班斯・奥克斯利法案》。该法案对美国《1933年证券法》、《1934年证券交易法 》做出大幅修订，在公司治理、会计职业监管、证券市场监管等方面作出了许多新的规定 。 *其他 *每个资料库(Datebase)的Port一定要熟记，送分题 Oracle 1521 Microsoft SQL Server 1433 MySQL 3306 PostgreSQL 5432 *IPv4与IPv6的两种技术 dual stack 是可以让两者同时使用, 预设IPv6优先 tunneling 是把IPv6包在IPv4当中 *社交工程的各项方法英文名词要知道 有点像是考英文而不是技术了, 英文名词都知道意思应该就满简单 Vishing, Phishing, Shoulder surfing, Eavesdropping, Tailgating, Dumpster diving. *基本IaaS、PaaS、SaaS要会区分 *黑白灰箱测是要会区分 黑箱有Blind跟Double Blind 白箱有Announced跟Unannounced -- 练习题的部分题目Review 应该是A (可以参考这篇 Pentesting Laws In UK) Irin is a newly joined penetration tester for XYZ Ltd. While joining, as a part of her training, she was instructed about various legal policies and information securities acts by her trainer. During the training, she was informed about a specific information security act related to the conducts and activities like it is illegal to perform DoS attacks on any websites or applications, it is illegal to supply and own hacking tools, it is illegal to access unauthorized computer material, etc. To which type of information security act does the above conducts and activities best suit? A. Police and Justice Act 2006 B. Data Protection Act 1998 C. USA Patriot Act 2001 D. Human Rights Act 1998 这题明显的是B Thomas is an attacker and he skimmed through the HTML source code of an online shopping website for the presence of any vulnerabilities that he can exploit. He already knows that when a user makes any selection of items in the online shopping webpage, the selection is typically stored as form field values and sent to the application as an HTTP request (GET or POST) after clicking the Submit button. He also knows that some fields related to the selected items are modifiable by the user (like quantity, color, etc.) and some are not (like price). While skimming through the HTML code, he identified that the price field values of the items are present in the HTML code. He modified the price field values of certain items from $200 to $2 in the HTML code and submitted the request successfully to the application. Identify the type of attack performed by Thomas on the online shopping website? A. Session poisoning attack B. Hidden field manipulation attack C. HTML embedding attack D. XML external entity attack 这看起来没正确答案，看选项比较可能是B or D Peter, a disgruntled ex-employee of Zapmaky Solutions Ltd., is trying to jeopardize the company’s website http://zapmaky.com. He conducted the port scan of the website by using the Nmap tool to extract the information about open ports and their corresponding services. While performing the scan, he recognized that some of his requests are being blocked by the firewall deployed by the IT personnel of Zapmaky and he wants to bypass the same. For evading the firewall, he wanted to employ the stealth scanning technique which is an incomplete TCP three-way handshake method that can effectively bypass the firewall rules and logging mechanisms. Which if the following Nmap commands should Peter execute to perform stealth scanning? A. nmap -sT -v zapmaky.com B. nmap -T4 -A -v zapmaky.com C. nmap -sX -T4 -A -v zapmaky.com D. nmap -sN -A zapmaky.com 应该是B Identify the PRGA from the following screenshot: A. replay_src-0124-161120.cap B. fragment-0124-161129.xor C. 0505 933f af2f 740e D. 0842 0201 000f b5ab cd9d 0014 6c7e 4080 明显是A James is an attacker who wants to attack XYZ Inc. He has performed reconnaissance over all the publicly available resources of the company and identified the official company website http://xyz.com. He scanned all the pages of the company website to find for any potential vulnerabilities to exploit. Finally, in the user account login page of the company’s website, he found a user login form which consists of several fields that accepts user inputs like username and password. He also found than any non-validated query that is requested can be directly communicated to the active directory and enable unauthorized users to obtain direct access to the databases. Since James knew an employee named Jason from XYZ Inc., he enters a valid username “jason” and injects “jason)(&))” in the username field. In the password　field, James enters “blah” and clicks Submit button. Since the complete URL string entered by James becomes “(& (USER=jason)(&))(PASS=blah)),” only the first filter is processed by the Microsoft Active Directory, that is, the query “(&(USER=jason)(&))” is processed. Since this query always stands true, James successfully logs into the user account without a valid password of Jason. In the above scenario, identify the type of attack performed by James? A. LDAP injection attack B. HTML embedding attack C. Shell injection attack D. File injection attack 可能是 C or D Peter works as a lead penetration tester in a security service firm named Xsecurity. Recently, Peter was assigned a white-box pen test assignment testing the security of an IDS system deployed by a client. During the preliminary information gathering, Peter discovered the TTL to reach the IDS system from his end is 30. Peter created a Trojan and fragmented it in to 1-character packets using the Colasoft packet builder tool. He then used a packet flooding utility to bombard the IDS with these fragmented packets with the destination address of a target host behind the IDS whose TTL is 35. What is Peter trying to achieve? A. Peter is trying to bypass the IDS system using a Trojan B. Peter is trying to bypass the IDS system using the broadcast address C. Peter is trying to bypass the IDS system using the insertion attack D. Peter is trying to bypass the IDS system using inconsistent packets 我觉得比较像B Tecty Motors Pvt. Ltd. has recently deployed RFID technology in the vehicles which allows the car owner to unlock the car with the exchange of a valid RFID signal between a reader and a tag. Jamie, on the other hand, is a hacker who decided to exploit this technology with the aim of stealing the target vehicle. To perform this attack on the target vehicle, he first used an automated tool to intercept the signals between the reader and the tag to capture a valid RFID signal and then later used the same signal to unlock and steal the victim’s car. Which of the following RFID attacks Jamie has performed in the above scenario? A. RFID cloning B. Replay attack C. DoS attack D. Power analysis attack 我觉得比较像A The Rhythm Networks Pvt Ltd firm is a group of ethical hackers. Rhythm Networks was asked by their client Zombie to identify how the attacker penetrated their firewall. Rhythm discovered the attacker modified the addressing information of the IP packet header and the source address bits field to bypass the firewall. What type of firewall bypassing technique was used by the attacker? A. Source routing B. Proxy Server C. HTTP Tunneling D. Anonymous Website Surfing Sites 恸?! 这题真的不知道答案XD 我看到Ubuntu直觉是D Cedric, who is a software support executive working for Panacx Tech. Inc., was asked to install Ubuntu operating system in the computers present in the organization. After installing the OS, he came to know that there are many unnecessary services and packages in the OS that were automatically installed without his knowledge. Since these services or packages can be potentially harmful and can create various security threats to the host machine, he was asked to disable all the unwanted services. In order to stop or disable these unnecessary services or packages from the Ubuntu distributions, which of the following commands should Cedric employ? A. # update-rc.d -f [service name] remove B. # chkconfig [service name] –del C. # chkconfig [service name] off D. # service [service name] stop 我觉得是D (参考这个Examining port scan methods – Analysing Audible Techniques) During scanning of a test network, Paul sends TCP probe packets with the ACK flag set to a remote device and then analyzes the header information (TTL and WINDOW field) of the received RST packets to find whether the port is open or closed. Analyze the scanning result below and identify the open port. A. Port 22 B. Port 23 C. Port 21 D. Port 20 我觉得是B Martin works as a professional Ethical Hacker and Penetration Tester. He is an ESCA certified professional and was following the LPT methodology to perform the penetration testing. He is assigned a project for information gathering on a client’s network. He started penetration testing and was trying to find out the company’s internal URLs, (mostly by trial and error), looking for any information about the different departments and business units. Martin was unable to find any information. What should Martin do to get the information he needs? A. Martin should use email tracking tools such as eMailTrackerPro to find the company’s internal URLs B. Martin should use online services such as netcraft.com to find the company ’s internal URLs C. Martin should use WayBackMachine in Archive.org to find the company’s internal URLs D. Martin should use website mirroring tools such as HTTrack Web Site Copier to find the company’s internal URLs 应该是B Charles, a network penetration tester, is part of a team assessing the security of perimeter devices of an organization. He is using the following Nmap command to bypass the firewall: nmap -D 10.10.8.5, 192.168.168.9, 10.10.10.12 What Charles is trying to do? A. Packet Fragmentation B. Cloaking a scan with decoys C. Spoofing source address D. Spoofing source port number 应该是A Adam is a senior penetration tester at XYZsecurity Inc. He is auditing a wireless network for vulnerabilities. Before starting the audit, he wants to ensure that the wireless card in his machine supports injection. He decided to use the latest version of aircrack-ng tool. Which of the following commands will help Adam check his wireless card for injection? A. aireplay-ng -9 wlan0 B. airodump-ng wlan0 C. airdecap-ng -3 wlan0 D. aireplay-ng -5 –b wlan0 我觉得是A StarMotel is a prominent chain of hotels in the world that uses high-tech solutions to ease the stay of their guests. In those high-tech solutions, they deployed RFID cards using which a guest can get access to the allocated hotel room. Keeping an eye on the RFID technology and with an objective of exploiting it, John, a professional hacker, decided to hack it in order to obtain access to any room in the target hotel. In this process, he first pulled an RFID keycard from the trash of the target hotel and identified the master keycard code in several tries using an RFID card reading and writing tool. Then, he created its clone using a new RFID card that gave him free reign to roam in any hotel room in the building. Identify the RFID attack John has performed on the target hotel? A. RFID spoofing attack B. Reverse engineering attack C. RFID replay attack D. Power analysis attack 以上技术面也纯粹是我个人的一些想法跟心得， 当然不表示是最佳解，如果有任何想提出来讨论或纠正错误都可以喔！ 有问题都可以与我讨论，可以留言也可以寄信给我， 但是请不要跟我要「练习题」，因为各种考量，我是不会提供的， 不过要在网路上找得也很简单，大家去google也不难估狗到。 那最後就祝大家有报名的也都顺利通过考试罗～ --

※ 发信站: 批踢踢实业坊(ptt.cc), 来自: 123.193.195.5 (台湾) ※ 文章网址: https://webptt.com/cn.aspx?n=bbs/NetSecurity/M.1608509483.A.201.html 没有喔 不过我有大概翻过CEH的书 ※ 编辑: wavek (123.193.195.5 台湾), 12/29/2020 22:59:50