Demonstrate ability to exploit weak sudo configuration

–

Understand difference between sudo and su

–

Understand purpose of using sudo rather than logging in as root

Understands backported patches, and the effect they have on scanning tools

–

Understands OS lifecycle management

Can identify Unix hosts on a target network

Understands mail relaying

–

Awareness of recent sendmail vulnerabilities and ability to exploit them if possible

Can demonstrate how trust relationships can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of –/.ssh/ authorized_keys files

–

Understands SSH and its associated security attributes, including the different versions of the protocol, version fingerprinting and how the service can be used to provide a number of remote access services 

–

Understand that SSH can be used for port forwarding and file transfer

Understands the Berkeley r-services and their associated security attributes and can demonstrate how trust relationships can:
• Lead to the compromise of a server
• Allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of .rhosts and/or /etc/hosts.equiv files

Understands how NFS exports can be restricted at both a host and file level

–

Understands the concepts of root squashing, nosuid and noexec options

–

Can demonstrate how a poorly configured NFS service can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the creation of SUID-root files, the modification of files and file system permissions, and UID/GID manipulation

–

Understands NFS and its associated security attributes and can demonstrate how exports can be identified

Understands and can exploit TFTP within a Cisco environment

–

Understands TFTP and can demonstrate how a poorly configured TFTP server can be exploited, e.g. the downloading of arbitrary files, the uploading over-writing of files

–

Understands the security implications of anonymous FTP access

–

Understands FTP and can demonstrate how a poorly configured FTP server can be exploited, e.g. the downloading of arbitrary files, the uploading and over-writing of files, and the modification of file system permissions

–

Understand that SSH can be used for port forwarding and file transfer

Understands and can perform common post exploitation activities, including:
• Obtaining password hashes, both from the local SAM and cached credentials
• Obtaining locally stored clear-text passwords
• Cracking password hashes
• Obtaining patch levels
• Deriving a list of missing security patches
• Reverting to a previous state
• Lateral and horizontal movement

Understands and can demonstrate Local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions

Can demonstrate the recovery of password hashes when given physical access to a UNIX host

–

Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks

–

Understands UNIX password hashing algorithms and their associated security attributes

–

Understands users, groups and password policies, including complexity requirements and lock-out

–

Understands how passwords are stored and protected and can demonstrate how they can be recovered

–

Understands how to avoid causing a denial of service by locking-out accounts

Can enumerate RPC services and identify those with known security vulnerabilities

–

Is aware of legacy user enumeration techniques such as rusers and rwho

–

Can demonstrate and explain the enumeration of data from a variety of common network services on various platforms including:
• Filesystems or resources shared remotely, such as NFS and SMB
• SMTP
• SSH
• Telnet
• SNMP and RID cycling