Note that learners can generate a set of course materials (PDF and videos) once their access to the course starts. To make the learning experience seamless we have provided a one-to-one mapping of the video-downloaded material to the course portal.
| Module 6 Information Gathering | |
| Portal Text Name | Offline (Folder - IG) |
| 6.2 - Passive Information Gathering | |
| 6.2.1 - Whois Enumeration | IG_02_01 |
| 6.2.2 - Google Hacking | IG_02_02 |
| 6.2.3 - Netcraft | IG_02_03 |
| 6.2.4 - Open-Source Code | IG_02_04 |
| 6.2.5 - Shodan | IG_02_05 |
| 6.2.6 - Security Headers and SSL/TLS | IG_02_06 |
| 6.4 - Active Information Gathering | |
| 6.4.1 - DNS Enumeration | IG_03_01 |
| 6.4.2 - TCP/UDP Port Scanning Theory | N/A |
| 6.4.3 - Port Scanning with Nmap | IG_03_03 |
| 6.4.4 - SMB Enumeration | IG_03_04 |
| 6.4.5 - SMTP Enumeration | IG_03_05 |
| 6.4.6 - SNMP Enumeration | IG_03_06 |
| Module 7 Vulnerability Scanning | |
| Portal Text Name | Offline (Folder - VS) |
| 7.2 - Vulnerability Scanning with Nessus | |
| 7.2.1 - Installing Nessus | N/A |
| 7.2.2 - Nessus Components | VS_02_02 |
| 7.2.3 - Performing a Vulnerability Scan | VS_02_03 |
| 7.2.4 - Analyzing the Results | VS_02_04 |
| 7.2.5 - Performing an Authenticated Vulnerability Scan | VS_02_05 |
| 7.2.6 - Working with Nessus Plugins | VS_02_06 |
| 7.3 - Vulnerability Scanning with Nmap | |
| 7.3.1 - NSE Vulnerability Scripts | VS_03_01 |
| 7.3.2 - Working with NSE Scripts | VS_03_02 |
| Module 8 Introduction to Web Application Attacks | |
| Portal Text Name | Offline (Folder - ITWAA) |
| 8.2 - Web Application Assessment Tools | |
| 8.2.1. Fingerprinting Web Servers with Nmap | ITWAA_02_01 |
| 8.2.2. Technology Stack Identification with Wappalyzer | N/A |
| 8.2.3. Directory Brute Force with Gobuster | ITWAA_02_03 |
| 8.2.4. Security Testing with Burp Suite | ITWAA_02_04 |
| 8.3 - Web Application Enumeration | |
| 8.3.1. Debugging Page Content | ITWAA_03_01 |
| 8.3.2. Inspecting HTTP Response Headers and Sitemaps | ITWAA_03_02 |
| 8.3.3. Enumerating and Abusing APIs | ITWAA_03_03 |
| 8.4 - Cross-Scripting | |
| 8.4.1. Stored vs Reflected XSS Theory | N/A |
| 8.4.2. JavaScript Refresher | N/A |
| 8.4.3. Identifying XSS Vulnerabilities | N/A |
| 8.4.4. Basic XSS | ITWAA_04_04 |
| 8.4.5. Privilege Escalation via XSS | ITWAA_04_05 |
| Module 9 Common Web Application Attacks | |
| Portal Text Name | Offline (Folder - CWAA) |
| 9.1 Directory Traversal | |
| 9.1.1. Absolute vs Relative Paths | CWAA_01_01 |
| 9.1.2. Identifying and Exploiting Directory Traversals | CWAA_01_02 |
| 9.1.3. Encoding Special Characters | CWAA_01_03 |
| 9.2. File Inclusion Vulnerabilities | |
| 9.2.1. Local File Inclusion (LFI) | CWAA_02_01 |
| 9.2.2. PHP Wrappers | CWAA_02_02 |
| 9.2.3. Remote File Inclusion (RFI) | CWAA_02_03 |
| 9.3. File Upload Vulnerabilities | |
| 9.3.1. Using Executable Files | CWAA_03_01 |
| 9.3.2. Using Non-Executable Files | CWAA_03_02 |
| 9.4. Command Injection | |
| 9.4.1. OS Command Injection | CWAA_04_01 |
| Module 10 SQL Injection | |
| Portal Text Name | Offline (Folder - SQLi) |
| 10.1. SQL Theory and Databases | |
| 10.1.1. SQL Theory Refresher | N/A |
| 10.1.2. DB Types and Characteristics | SQLi_01_02 |
| 10.2. Manual SQL Exploitation | |
| 10.2.1. Identifying SQLi via Error-based Payloads | SQLi_02_01 |
| 10.2.2. UNION-based Payloads | SQLi_02_02 |
| 10.2.3. Blind SQL Injections | SQLi_02_03 |
| 10.3. Manual and Automated Code Execution | |
| 10.3.1. Manual Code Execution | SQLi_03_01 |
| 10.3.2. Automating the Attack | SQLi_03_02 |
| Module 12 Client Side Attacks | |
| Portal Text Name | Offline (Folder - CSA) |
| 12.1. Target Reconnaissance | |
| 12.1.1. Information Gathering | CSA_01_01 |
| 12.1.2. Client Fingerprinting | CSA_01_02 |
| 12.2. Exploiting Microsoft Office | |
| 12.2.1. Preparing the Attack | N/A |
| 12.2.2. Installing Microsoft Office | N/A |
| 12.2.3. Leveraging Microsoft Word Macros | CSA_02_03 |
| 12.3. Abusing Windows Library Files | |
| 12.3.1. Obtaining Code Execution via Windows Library Files | CSA_03_01 |
| Module 13 Locating Public Exploits | |
| Portal Text Name | Offline (Folder - LOCPE) |
| 13.1. Getting Started | |
| 13.1.1. A Word of Caution | N/A |
| 13.2. Online Exploit Resources | |
| 13.2.1. The Exploit Database | N/A |
| 13.2.2. Packet Storm | N/A |
| 13.2.3. GitHub | N/A |
| 13.2.4. Google Search Operators | N/A |
| 13.3. Offline Exploit Resources | |
| 13.3.1. Exploit Frameworks | |
| 13.3.2. SearchSploit | LOCPE_03_02 |
| 13.3.3. Nmap NSE Scripts | LOCPE_03_03 |
| 13.4. Exploiting a Target | |
| 13.4.1. Putting It Together | LOCPE_04_01 |
| Module 14 Fixing Exploits | |
| Portal Text Name | Offline (Folder - FE) |
| 14.1. Fixing Memory Corruption Exploits | |
| 14.1.1. Buffer Overflow in a Nutshell | N/A |
| 14.1.2. Importing and Examining the Exploit | FE_01_02 |
| 14.1.3. Cross-Compiling Exploit Code | FE_01_03 |
| 14.1.4. Fixing the Exploit | FE_01_04 |
| 14.1.5. Changing the Overflow Buffer | FE_01_05 |
| 14.2. Fixing Web Exploits | |
| 14.2.1. Considerations and Overview | N/A |
| 14.2.2. Selecting the Vulnerability and Fixing the Code | FE_02_02 |
| 14.2.3. Troubleshooting the "index out of range" Error | FE_02_03 |
| Module 15 Antivirus Evasion | |
| Portal Text Name | Offline (Folder - AVE) |
| 15.1. Antivirus Software Key Components and Operations | |
| 15.1.1. Known vs Unknown Threats | N/A |
| 15.1.2. AV Engines and Components | N/A |
| 15.1.3. Detection Methods | AVE_01_03 |
| 15.2. Bypassing Antivirus Detections | |
| 15.2.1. On-Disk Evasion | N/A |
| 15.2.2. In-Memory Evasion | N/A |
| 15.3. AV Evasion in Practice | |
| 15.3.1. Testing for AV Evasion | N/A |
| 15.3.2. Evading AV with Thread Injection | AVE_03_02 |
| 15.3.3. Automating the Process | AVE_03_03 |
| Module 16 Password Attacks | |
| Portal Text Name | Offline (Folder - PA) |
| 16.1. Attacking Network Services Logins | |
| 16.1.1. SSH and RDP | PA_01_01 |
| 16.1.2. HTTP POST Login Form | PA_01_02 |
| 16.2. Password Cracking Fundamentals | |
| 16.2.1. Introduction to Encryption, Hashes and Cracking | PA_02_01 |
| 16.2.2. Mutating Wordlists | PA_02_02 |
| 16.2.3. Cracking Methodology | N/A |
| 16.2.4. Password Manager | PA_02_04 |
| 16.2.5. SSH Private Key Passphrase | PA_02_05 |
| 16.3. Working with Password Hashes | |
| 16.3.1. Cracking NTLM | PA_03_01 |
| 16.3.2. Passing NTLM | PA_03_02 |
| 16.3.3. Cracking Net-NTLMv2 | PA_03_03 |
| 16.3.4. Relaying Net-NTLMv2 | PA_03_04 |
| Module 17 Windows Privilege Escalation | |
| Portal Text Name | Offline (Folder - WPE) |
| 17.1. Enumerating Windows | |
|
17.1.1. Understanding Windows Privileges and Access Control
Mechanisms
|
N/A |
| 17.1.2. Situational Awareness | WPE_01_02 |
| 17.1.3. Hidden in Plain View | WPE_01_03 |
| 17.1.4. Information Goldmine PowerShell | WPE_01_04 |
| 17.1.5. Automated Enumeration | WPE_01_05 |
| 17.2. Leveraging Windows Services | |
| 17.2.1. Service Binary Hijacking | WPE_02_01 |
| 17.2.2. Service DLL Hijacking | WPE_02_02 |
| 17.2.3. Unquoted Service Paths | WPE_02_03 |
| 17.3. Abusing Other Windows Components | |
| 17.3.1. Scheduled Tasks | WPE_03_01 |
| 17.3.2. Using Exploits | WPE_03_02 |
| Module 18 Linux Privilege Escalation | |
| Portal Text Name | Offline (Folder - LPE) |
| 18.1. Enumerating Linux | |
| 18.1.1. Understanding Files and Users Privileges on Linux | N/A |
| 18.1.2. Manual Enumeration | LPE_01_02 |
| 18.1.3. Automated Enumeration | LPE_01_03 |
| 18.2. Exposed Confidential Information | |
| 18.2.1. Inspecting User Trails | LPE_02_01 |
| 18.2.2. Inspecting Service Footprints | LPE_02_02 |
| 18.3. Insecure File Permissions | |
| 18.3.1. Abusing Cron Jobs | LPE_03_01 |
| 18.3.2. Abusing Password Authentication | LPE_03_02 |
| 18.4. Insecure System Components | |
| 18.4.1. Abusing Setuid Binaries and Capabilities | LPE_04_01 |
| 18.4.2. Abusing Sudo | LPE_04_02 |
| 18.4.3. Exploiting Kernel Vulnerabilities | LPE_04_03 |
| Module 19 Port Redirection and SSH Tunneling | |
| Portal Text Name | Offline (No Folder) |
| 19.2. Port Forwarding with Linux Tools | |
| 19.2.1. A Simple Port Forwarding Scenario | PRAT_02_01 |
| 19.2.2. Setting Up the Lab Environment | PRAT_02_02 |
| 19.2.3. Port Forwarding with Socat | PRAT_02_03 |
| 19.3. SSH Tunneling | |
| 19.3.1. SSH Local Port Forwarding | PRAT_03_01 |
| 19.3.2. SSH Dynamic Port Forwarding | PRAT_03_02 |
| 19.3.3. SSH Remote Port Forwarding | PRAT_03_03 |
| 19.3.4. SSH Remote Dynamic Port Forwarding | PRAT_03_04 |
| 19.3.5. Using sshuttle | PRAT_03_05 |
| 19.4. Port Forwarding with Windows Tools | |
| 19.4.1. ssh.exe | PRAT_04_01 |
| 19.4.2. Plink | PRAT_04_02 |
| 19.4.3. Netsh | PRAT_04_03 |
| Module 20 Tunneling Through Deep Packet Inspection | |
| Portal Text Name | Offline (No Folder) |
| 20.1. HTTP Tunneling Theory and Practice | |
| 20.1.1. HTTP Tunneling Fundamentals | PRAT2_01_01 |
| 20.1.2. HTTP Tunneling with Chisel | PRAT2_01_02 |
| 20.2. DNS Tunneling Theory and Practice | |
| 20.2.1. DNS Tunneling Fundamentals | PRAT2_02_01 |
| 20.2.2. DNS Tunneling with dnscat2 | PRAT2_02_02 |
| Module 21 The Metasploit Framework | |
| Portal Text Name | Offline (No Folder) |
| 21.1. Getting Familiar with Metasploit | |
| 21.1.1. Setup and Work with MSF | TMF_01_01 |
| 21.1.2. Auxiliary Modules | TMF_01_02 |
| 21.1.3. Exploit Modules | TMF_01_03 |
| 21.2. Using Metasploit Payloads | |
| 21.2.1. Staged vs Non-Staged Payloads | TMF_02_01 |
| 21.2.2. Meterpreter Payload | TMF_02_02 |
| 21.2.3. Executable Payloads | TMF_02_03 |
| 21.3. Performing Post-Exploitation with Metasploit | |
| 21.3.1. Core Meterpreter Post-Exploitation Features | TMF_03_01 |
| 21.3.2. Post-Exploitation Modules | TMF_03_02 |
| 21.3.3. Pivoting with Metasploit | TMF_03_03 |
| 21.4. Automating Metasploit | |
| 21.4.1. Resource Scripts | TMF_04_01 |
| Module 22 Active Directory Introduction and Enumeration | |
| Portal Text Name | Offline (No Folder) |
| 22.1. Active Directory - Introduction | |
| 22.1.1. Enumeration - Defining our Goals | N/A |
| 22.2. Active Directory - Manual Enumeration | |
|
22.2.1. Active Directory - Enumeration Using Legacy Windows
Tools
|
ADIE_02_01 |
|
22.2.2. Enumerating Active Directory using PowerShell and
.NET Classes
|
ADIE_02_02 |
| 22.2.3. Adding Search Functionality to our Script | ADIE_02_03 |
| 22.2.4. AD Enumeration with PowerView | ADIE_02_04 |
| 22.3. Manual Enumeration - Expanding our Repertoire | |
| 22.3.1. Enumerating Operating Systems | ADIE_03_01 |
|
22.3.2. Getting an Overview - Permissions and Logged on Users
|
ADIE_03_02 |
| 22.3.3. Enumeration Through Service Principal Names | ADIE_03_03 |
| 22.3.4. Enumerating Object Permissions | ADIE_03_04 |
| 22.3.5. Enumerating Domain Shares | ADIE_03_05 |
| 22.4. Active Directory - Automated Enumeration | |
| 22.4.1. Collecting Data with SharpHound | ADIE_04_01 |
| 22.4.2. Analysing Data using BloodHound | ADIE_04_02 |
| Module 23 Attacking Active Directory Authentication | |
| Portal Text Name | Offline (No Folder) |
| 23.1. Understanding Active Directory Authentication | |
| 23.1.1. NTLM Authentication | N/A |
| 23.1.2. Kerberos Authentication | N/A |
| 23.1.3. Cached AD Credentials | AADA_01_03 |
| 23.2. Performing Attacks on Active Directory Authentication | |
| 23.2.1. Password Attacks | AADA_02_01 |
| 23.2.2. AS-REP Roasting | AADA_02_02 |
| 23.2.3. Kerberoasting | AADA_02_03 |
| 23.2.4. Silver Tickets | AADA_02_04 |
| 23.2.5. Domain Controller Synchronization | AADA_02_05 |
| Module 24 Lateral Movement in Active Directory | |
| Portal Text Name | Offline (No Folder) |
| 24.1. Active Directory Lateral Movement Techniques | |
| 24.1.1. WMI and WinRM | ADLM_01_01 |
| 24.1.2. PsExec | ADLM_01_02 |
| 24.1.3. Pass the Hash | ADLM_01_03 |
| 24.1.4. Overpass the Hash | ADLM_01_04 |
| 24.1.5. Pass the Ticket | ADLM_01_05 |
| 24.1.6. DCOM | ADLM_01_06 |
| 24.2. Active Directory Persistence | |
| 24.2.1. Golden Ticket | ADLM_02_01 |
| 24.2.2. Shadow Copies | ADLM_02_02 |
| Module 27 Assembling the Pieces | |
| Portal Text Name | Offline (No Folder) |
| 27.1. Enumerating the Public Network | |
| 27.1.1. MAILSRV1 | ATP_01_01 |
| 27.1.2. WEBSRV1 | ATP_01_02 |
| 27.2. Attacking a Public Machine | |
| 27.2.1. Initial Foothold | ATP_02_01 |
| 27.2.2. A Link to the Past | ATP_02_02 |
| 27.3. Gaining Access to the Internal Network | |
| 27.3.1. Domain Credentials | ATP_03_01 |
| 27.3.2. Phishing for Access | ATP_03_02 |
| 27.4. Enumerating the Internal Network | |
| 27.4.1. Situational Awareness | ATP_04_01 |
| 27.4.2. Services and Sessions | ATP_04_02 |
| 27.5. Attacking an Internal Web Application | |
| 27.5.1. Speak Kerberoast and Enter | ATP_05_01 |
| 27.5.2. Abuse a WordPress Plugin for a Relay Attack | ATP_05_02 |
| 27.6. Gaining Access to the Domain Controller | |
| 27.6.1. Cached Credentials | ATP_06_01 |
| 27.6.2. Lateral Movement | ATP_06_02 |