CREST Practitioner Security Analyst Exam Syllabus

• Benefits and utility of penetration testing to the client.
• Structure of penetration testing, including the relevant processes and procedures.
• Concepts of infrastructure testing and application testing, including black box and white box formats.
• Project closure and debrief.

- Law & Compliance

• Knowledge of pertinent UK legal issues:
  - Computer Misuse Act 1990
  - Human Rights Act 1998
  - Data Protection Act 1998
  - Police and Justice Act 2006
• Impact of this legislation on penetration testing activities.
• Awareness of sector-specific regulatory issues.

- Scoping

• Understanding client requirements.
• Scoping project to fulfil client requirements.
• Accurate timescale scoping.
• Resource planning.

- Understanding Explaining and Managing Risk

• Knowledge of additional risks that penetration testing can present.
• Levels of risk relating to penetration testing, the usual outcomes of Such risks materialising and how to mitigate the risks.
• Effective planning for potential DoS conditions.

- Record Keeping, Interim Reporting & Final Results

• Understanding reporting requirements.
• Understanding the importance of accurate and structured record keeping during the engagement.

• IP protocols: IPv4 and IPv6, TCP, UDP and ICMP.
• Awareness that other IP protocols exist.

- Network Architectures

• Varying network types that could be encountered during a penetration test:
  - CAT 5 / Fibre
  - 10/100/1000baseT
  - Token ring
  - Wireless (802.11)
• Security implications of shared media, switched media and VLANs.

- Network Mapping & Target Identification

• Analysis of output from tools used to map the route between the engagement point and a number of targets.
• Network sweeping techniques to prioritise a target list and the potential for false negatives.

- Interpreting Tool Output

• Interpreting output from port scanners, network sniffers and other network enumeration tools.

- Filtering Avoidance Techniques

• The importance of egress and ingress filtering, including the risks associated with outbound connections.

- OS Fingerprinting

• Remote operating system fingerprinting; active and passive techniques.

- Application Fingerprinting and Evaluating Unknown Services

• Determining server types and network application versions from application banners.
• Evaluation of responsive but unknown network applications.

- Network Access Control Analysis

• Reviewing firewall rule bases and network access control lists.

- Cryptography

• Differences between encryption and encoding.
• Symmetric / asymmetric encryption
• Encryption algorithms: DES, 3DES, AES, RSA, RC4.
• Hashes: SHA1 and MD5
• Message Integrity codes: HMAC

- Applications of Cryptography

• SSL, IPsec, SSH, PGP
• Common wireless (802.11) encryption protocols: WEP, WPA, TKIP

- File System Permissions

• File permission attributes within Unix and Windows file systems and their security implications.
• Analysing registry ACLs.

- Audit Techniques

• Listing processes and their associated network sockets (if any).
• Assessing patch levels.
• Finding interesting files.

• Information contained within IP and domain registries (WHOIS).

- Domain Name Server (DNS)

• DNS queries and responses
• DNS zone transfers
• Structure, interpretation, and analysis of DNS records:
  - SOA
  - MX
  - TXT
  - A
  - NS
  - PTR
  - HINFO
  - CNAME

- Customer Web Site Analysis

• Analysis of information from a target web site, both from displayed content and from within the HTML source.

- Google Hacking and Web Enumeration

• Effective use of search engines and other public data sources to gain information about a target.

- NNTP Newsgroups and Mailing Lists

• Searching newsgroups or mailing lists for useful information about a target.

- Information Leakage from Mail & News Headers

• Analysing news group and e-mail headers to identify internal system information.

• Weaknesses in the protocols commonly used for the remote management of devices:
  - Telnet
  - Web based protocols
  - SSH
  - SNMP (covering network information enumeration and common attacks against Cisco configurations)
  - TFTP
  - Cisco Reverse Telnet
  - NTP

- Network Traffic Analysis

• Techniques for local network traffic analysis.
• Analysis of network traffic stored in PCAP files.

- Networking Protocols

• Security issues relating to the networking protocols:
  - ARP
  - DHCP
  - CDP
  - HSRP
  - VRRP
  - VTP
  - STP
  - TACACS+

- IPSec

• Enumeration and fingerprinting of devices running IPSec services.

- VoIP

• Enumeration and fingerprinting of devices running VoIP services.
• Knowledge of the SIP protocol.

- Wireless

• Enumeration and fingerprinting of devices running Wireless (802.11) services.
• Knowledge of various options for encryption and authentication, and the relative methods of each.
• WEP
• TKIP
• WPA/WPA2
• EAP/LEAP/PEAP

- Configuration Analysis

• Analysing configuration files from the following types of Cisco equipment:
  - Routers
  - Switches
• Interpreting the configuration of other manufacturers’ devices.

• Identifying domains/workgroups and domain membership within the target network.
• Identifying key servers within the target domains.
• Identifying and analysing internal browse lists.
• Identifying and analysing accessible SMB shares

- User Enumeration

• Identifying user accounts on target systems and domains using NetBIOS, SNMP and LDAP

- Active Directory

• Active Directory Roles (Global Catalogue, Master Browser, FSMO)
• Reliance of AD on DNS and LDAP
• Group Policy (Local Security Policy)

- Windows Passwords

• Password policies (complexity, lockout policies)
• Account Brute Forcing
• Hash Storage (merits of LANMAN, NTLMv1 / v2)
• Offline Password Analysis (rainbow tables / hash brute forcing)

- Windows Vulnerabilities

• Knowledge of remote windows vulnerabilities, particularly those for which robust exploit code exists in the public domain.
• Knowledge of local windows privilege escalation vulnerabilities and techniques.
• Knowledge of common post exploitation activities:
  - obtain password hashes, both from the local SAM and cached credentials
  - obtaining locally stored clear-text passwords
  - crack password hashes
  - check patch levels
  - derive list of missing security patches
  - reversion to previous state

- Windows Patch Management Strategies

• Knowledge of common windows patch management strategies:
  - SMS
  - SUS
  - WSUS
  - MBSA

- Desktop Lockdown

• Knowledge and understanding of techniques to break out of a locked down Windows desktop / Citrix environment.
• Privilege escalation techniques

- Exchange

• Knowledge of common attack vectors for Microsoft Exchange Server.

- Common Windows Applications

• Knowledge of significant vulnerabilities in common windows applications for which there is public exploit code available.

• Discovery of valid usernames from network services commonly running by default:
  - rusers
  - rwho
  - SMTP
  - finger
• Understand how finger daemon derives the information that it returns, and hence how it can be abused.

- Unix vulnerabilities

• Recent or commonly found Linux vulnerabilities, and in particular those for which there is exploit code in the public domain.
• Use of remote exploit code and local exploit code to gain root access to target host.
• Common post-exploitation activities:
  - exfiltrate password hashes
  - crack password hashes
  - check patch levels
  - derive list of missing security patches
  - reversion to previous stat

- FTP

• FTP access control.
• Anonymous access to FTP servers.
• Risks of allowing write access to anonymous users.

- Sendmail / SMTP

• Valid username discovery via EXPN and VRFY.
• Awareness of recent Sendmail vulnerabilities; ability to exploit them if possible.
• Mail relaying

- Network File System (NFS)

• NFS security: host level (exports restricted to particular hosts) and file level (by UID and GID).
• Root squashing, nosuid and noexec options.
• File access through UID and GID manipulation.

- R* services

• Berkeley r* service:
  - access control (/etc/hosts.equiv and .rhosts)
  - trust relationships
• Impact of poorly configured trust relationships.

- X11

• X Windows security and configuration; host-based vs. user-based access control.

- RPC services

• RPC service enumeration.
• Common RPC services.
• Recent or commonly found RPC service vulnerabilities.

- SSH

• Identify the types and versions of SSH software in use.
• Securing SSH.
• Versions 1 and 2 of the SSH protocol.
• Authentication mechanisms within SSH.

• How a web server functions in terms of the client/server architecture.
• Concepts of virtual hosting and web proxies.

- Web Servers & their Flaws

• Common web servers and their fundamental differences and vulnerabilities associated with them:
  - IIS
  - Apache (and variants)

- Web Enterprise Architectures

• Design of tiered architectures.
• The concepts of logical and physical separation.
• Differences between presentation, application, and database layers.

- Web Protocols

• Web protocols: HTTP, HTTPS, SOAP.
• All HTTP web methods and response codes.
• HTTP Header Fields relating to security features.

- Web Mark-up Languages

• Web mark-up languages: HTML and XML.

- Web Programming Languages

• Common web programming languages: JSP, ASP, PHP, CGI based Perl and JavaScript.

- Web Application Servers

• Vulnerabilities in common application frameworks, servers and technologies: .NET, J2EE, Coldfusion, Ruby on Rails and AJAX.

- Web APIs

• Application interfaces: CGI, ISAPI filters and Apache modules.

- Web SubComponents

• Web architecture sub-components: Thin/Thick web clients, servlets and applets, Active X.
• Flash Application Testing.
• .NET Thick Clients.
• Java Applets.
• De-compilation of client-side code.

• Benefits of performing application reconnaissance.
• Discovering the structure of web applications.
• Methods to identify the use of application components defined in G1 to G9.

- Threat Modelling and Attack Vectors

• Simple threat modelling based on customer perception of risk.
• Relate functionality offered by the application to potential attack vectors.

- Information Gathering from Web Mark-up

• Examples of the type of information available in web page source that may prove useful to an attacker:
  - Hidden Form Fields
  - Database Connection Strings
  - Credentials
  - Developer Comments
  - Other included files
  - Authenticated-only URLs

- Authentication Mechanisms

• Common pitfalls associated with the design and implementation of application authentication mechanisms.

- Authorisation Mechanisms

• Common pitfalls associated with the design and implementation of application authorisation mechanisms.

- Input Validation

• The importance of input validation as part of a defensive coding strategy.
• How input validation can be implemented and the differences between white-listing, black-listing, and data sanitisation.

- Information Disclosure in Error Messages

• How error messages may indicate or disclose useful information.

- Use of Cross Site Scripting Attacks

• Potential implications of a cross site scripting vulnerability.
• Ways in which the technique can be used to benefit an attacker.

- Use of Injection Attacks

• Potential implications of injection vulnerabilities:
  - SQL injection
  - LDAP injection
  - Code injection
  - XML injection
• Ways in which these techniques can be used to benefit an attacker.

- Session Handling

• Common pitfalls associated with the design and implementation of session handling mechanisms.

- Encryption

• Common techniques used for encrypting data in transit and data at rest, either on the client or server side.
• Identification and exploitation of Encoded values (e.g. Base64) and Identification and exploitation of Cryptographic values (e.g. MD5 hashes).
• Identification of common SSL vulnerabilities.

- Source Code Review

• Common techniques for identifying and reviewing deficiencies in the areas of security.

• Spidering tools and their relevance in a web application test for discovering linked content.
• Forced browsing techniques to discover default or unlinked content.
• Identification of functionality within client-side code.

- Cross Site Scripting Attacks

• Arbitrary JavaScript execution.
• Using Cross Site Scripting techniques to obtain sensitive information from other users.
• Phishing techniques.

- SQL Injection

• Determine the existence of an SQL injection condition in a web application.
• Determine the existence of a blind SQL injection condition in a web application.
• Exploit SQL injection to enumerate the database and its structure.
• Exploit SQL injection to execute commands on the target server.

- Parameter Manipulation

• Parameter manipulation techniques, particularly the use of client-side proxies.

• Knowledge of common attack vectors for Microsoft SQL Server.
• Understanding of privilege escalation and attack techniques for a system compromised via database connections.

- Oracle RDBMS

• Derivation of version and patch information from hosts running Oracle software.
• Default Oracle accounts.

- Web / App / Database Connectivit

• Common databases (MS SQL server, Oracle, MySQL and Access) and the connection and authentication methods used by web applications.