• Can demonstrate and explain the enumeration of data from a variety of common network services on various platforms including:• Filesystems or resources shared remotely, such as NFS and SMB• SMTP • SSH • Telnet • SNMP and RID cycling
• Is aware of legacy user enumeration techniques such as rusers and rwho.
• Can enumerate RPC services and identify those with known security vulnerabilities.

• Understands users, groups and password policies, including complexity requirements and lock-out.
• Understands how to avoid causing a denial-of-service by locking-out accounts.
• Understands UNIX password hashing algorithms and their associated security attributes.
• Understands how passwords are stored and protected and can demonstrate how they can be recovered.
• Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks.
• Can demonstrate the recovery of password hashes when given physical access to a UNIX host.

• Understands and can demonstrate Local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions.

• Understands FTP and can demonstrate how a poorly configured FTP server can be exploited,e.g. the downloading of arbitrary files, the uploading and over-writing of files, and the modification of file system permissions.
• Understands the security implications of anonymous FTP access.
• Understands TFTP and can demonstrate how a poorly configured TFTP server can be exploited, e.g. the downloading of arbitrary files, the uploading over-writing of files.
• Understands and can exploit TFTP within a Cisco environment.

• Understands NFS and its associated security attributes and can demonstrate how exports can be identified.
• Can demonstrate how a poorly configured NFS service can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the creation of SUID-root files, the modification of files and file system permissions, and UID/GID manipulation.
• Understands the concepts of root squashing, nosuid and noexec options.
• Understands how NFS exports can be restricted at both a host and file level.

• Understands the Berkeley r-services and their associated security attributes and can demonstrate how trust relationships can:

• Lead to the compromise of a server

• Allow a user to escalate privileges and/or gain further accessto a host, e.g. through the use, creation or modification of .rhosts and/or /etc/hosts.equiv files

• Understands and can demonstrate valid username discovery via EXPN and VRFY.
• Awareness of recent sendmail vulnerabilities and ability to exploit them if possible.
• Understands mail relaying.

• Understands backported patches, and the effect they have on scanning tools.
• Understands OS lifecycle management.

• Understands purpose of using sudo rather than logging in as root.
• Understands difference between sudo and su.
• Demonstrates ability to exploit weak sudo configuration.