5 Days


Employees of federal, state and local governments; and businesses working with the government.

Course Overview:

This hands-on course uses only freely available open source tools and is beneficial to anyone performing a cyber investigation or vulnerability assessment. Law enforcement and military communities were specifically in mind during the design, however anyone in cyber security would benefit. You will learn to use open-source tools from the Kali.org Linux distribution. You will learn both active and passive methods to gain information on the person(s) of interest. Hands-on labs combined with various hardware demonstrations, give you numerous opportunities to apply what was learned during the lecture.

Who Should Attend:

Employees of federal, state and local governments; and businesses working with the government. Cybersecurity analysts and security engineers a who are at the beginning to intermediate stages of packet analysis.

Recommended Course Prerequisites:

Basic knowledge of TCP/IP protocols

Topics you will cover in this course include:

Passive Reconnaissance

  • Best practices to capture network traffic on 802.11 wireless, Bluetooth and ethernet networks. Aircrack, tcpdump and Wireshark will be used. Capture filters will be used to narrow the scope of the case.
  • Examine 802.11 specific headers as well as the TCP/IP protocol headers
  • Analyze the data using Wireshark. Various statistics and graphing which can be used to isolate connection patterns
  • Identify ARP spoofing in Wireshark
  • Signature identification and filtering for operating systems and connection establishment with Wireshark
  • Extract executables and images from Wireshark

Active Reconnaissance – Wireshark is used during all to aide in the understanding of methods and protocols

  • Best practices to scan an environment using Nmap and Zenmap. From networks down to services on hosts, active scans will be used to gather data.
  • Use a SOCKS proxy and Tor to anonymize traffic scans.
  • Transparently intercept SSL/TLS connections via SSLsplit.
  • Discover the target company’s IP netblocks, domain names and DNS record types via DNSRecon, dnsmap, nslookup and dig.
  • Gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database via theharvester.
  • Search for potentially sensitive data across the network via smbmap. You will list share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.
  • Locate UPnP devices, consumer grade access points for example, via Miranda. You will gain full control over application settings, and enumerate devices and services.
  • Build a dossier of websites, RDP services, and open VNC servers with header info and default credentials using EyeWitness.
  • Visualize relationships between the information gathered via CaseFile to create a summary of the data gathered.