| Learning Module | Learning Units | Learning Objectives |
| Report Writing for Penetration Testers | Understanding Note-Taking | - Review the deliverables for penetration testing engagements
- Understand the importance of note portability
- Identify the general structure of pentesting documentation
- Choose the right note-taking tool
- Understand the importance of taking screenshots
- Use tools to take screenshots
|
| | Writing Effective Technical Penetration Testing Reports | - Identify the purpose of a technical report
- Understand how to specifically tailor content
- Construct an Executive Summary
- Account for specific test environment considerations
- Create a technical summary
- Describe technical findings and recommendations
- Recognize when to use appendices, resources, and references
|
| Information Gathering | The Penetration Testing Lifecycle | - Understand the stages of a Penetration Test
- Learn the role of Information Gathering inside each stage
- Understand the differences between Active and Passive Information Gathering
|
| | Passive Information Gathering | - Understand the two different Passive Information Gathering approaches
- Learn about Open Source Intelligence (OSINT)
- Understand Web Server and DNS passive information gathering
|
| | Active Information Gathering | - Learn to perform Netcat and Netmap port scanning
- Conduct DNS, SMB, SMTP, and SNMP Enumeration
- Understand Living off the Land techniques
|
| Vulnerability Scanning | Vulnerability Scanning Theory | - Gain a basic understanding of the Vulnerability Scanning process
- Learn about the different types of Vulnerability Scans
- Understand the considerations of a Vulnerability Scan
|
| | Vulnerability Scanning with Nessus | - Install Nessus
- Understand the different Nessus components
- Configure and perform a vulnerability scan
- Understand and work with the results of a vulnerability scan with Nessus
- Provide credentials to perform an authenticated vulnerability scan
- Gain a basic understanding of Nessus plugins
|
| | Vulnerability Scanning with Nmap | - Understand the basics of the Nmap Scripting Engine (NSE)
- Perform a lightweight Vulnerability Scan with Nmap
- Work with custom NSE scripts
|
| Introduction to Web Applications | Web Application Assessment Methodology | - Understand web application security testing requirements
- Learn different types and methodologies of web application testing
- Learn about the OWASP Top10 and most common web vulnerabilities
|
| Web Application Assessment Tools | - Perform common enumeration techniques on web applications
- Understand Web Proxies theory
- Learn how Burp Suite proxy works for web application testing
|
| | Web Application Enumeration | - Learn how to debug Web Application source code
- Understand how to enumerate and inspect Headers, Cookies, and Source Code
- Learn how to conduct API testing methodologies
|
| | Cross-Site Scripting (XSS) | - Understand Cross-Site Scripting vulnerability types
- Exploit basic Cross-Site Scripting
- Perform Privilege Escalation via Cross-Site Scripting
|
| Common Web Application Attacks | Directory Traversal | - Understand absolute and relative paths
- Learn how to exploit directory traversal vulnerabilities
- Use encoding for special characters
|
| | File Inclusion Vulnerabilities | - Learn the difference between File Inclusion and Directory Traversal
- vulnerabilities
- Gain an understanding of File Inclusion vulnerabilities
- Understand how to leverage Local File Inclusion (LFI) to obtain code
- Execution
- Explore PHP wrapper usage
- Learn how to perform Remote File Inclusion (RFI) attacks
|
| | File Upload Vulnerabilities | - Understand File Upload vulnerabilities
- Learn how to identify File Upload vulnerabilities
- Explore different vectors to exploit File Upload vulnerabilities
|
| | Command Injection | - Learn about command injection in web applications
- Use operating system commands for OS command injection
- Understand how to leverage command injection to gain system access
|
| SQL Injection Attacks | SQL Theory and Database Types | - Refresh SQL theory fundamentals
- Learn different DB types
- Understand different SQL syntax
|
| | Manual SQL Exploitation | - Manually identify SQL injection vulnerabilities
- Understand UNION SQLi payloads
- Learn about Error SQLi payloads
- Understand Blind SQLi payloads
|
| | Manual and Automated Code Execution | - Exploit MSSQL Databases with xp_cmdshell
- Automate SQL Injection with SQLmap
|
| Client-Side Attacks | Target Reconnaissance
| - Gather information to prepare client-side attacks
- Leverage client fingerprinting to obtain information
|
| | Exploiting Microsoft Office | - Understand variations of Microsoft Office client-side attacks
- Install Microsoft Office
- Leverage Microsoft Word Macros
|
| | Abusing Windows Library Files | - Prepare an attack with Windows library files
- Leverage Windows shortcuts to obtain code execution
|
| Locating Public Exploits | Getting Started | - Understand the risk of executing untrusted exploits
- Understand the importance of analyzing the exploit code before execution
|
| | Online Exploit Resources | - Access multiple online exploit resources
- Differentiate between various online exploit resources
- Understand the risks between online exploit resources
- Use Google search operators to discover public exploits
|
| | Offline Exploit Resources | - Access Multiple Exploit Frameworks
- Use SearchSploit
- Use Nmap NSE Scripts
|
| | Exploiting a Target | - Follow a basic penetration test workflow to enumerate a target system
- Completely exploit a machine that is vulnerable to public exploits
- Discover appropriate exploits for a target system
- Execute a public exploit to gain a limited shell on a target host
|
| Fixing Exploits | Fixing Memory Corruption Exploits | - Understand high-level buffer overflow theory
- Cross-compile binaries
- Modify and update memory corruption exploits
|
| | Fixing Web Exploits | - Fix web application exploits
- Troubleshoot common web application exploit issues
|
| Antivirus Evasion | Antivirus Evasion Software Key Components and Operations | - Recognize known vs unknown threats
- Understand AV key components
- Understand AV detection engines
|
| | AV Evasion in Practice | - Understand antivirus evasion testing best practices
- Manually evade AV solutions
- Leverage automated tools for AV evasion
|
| Password Attacks | Attacking Network Services Logins | - Attack SSH and RDP logins
- Attack HTTP POST login forms
|
| | Password Cracking Fundamentals | - Understand the fundamentals of password cracking
- Mutate wordlists
- Explain the basic password cracking methodology
- Attack password manager key files
- Attack the passphrase of SSH private keys
|
| | Working with Password Hashes | - Obtain and crack NTLM hashes
- Pass NTLM hashes
- Obtain and crack Net-NTLMv2 hashes
- Relay Net-NTLMv2 hashes
|
| Windows Privilege Escalation | Enumerating Windows | - Understand Windows privileges and access control mechanisms
- Obtain situational awareness
- Search for sensitive information on Windows systems
- Find sensitive information generated by PowerShell
- Become familiar with automated enumeration tools
|
| | Leveraging Windows Services | - Hijack service binaries
- Hijack service DLLs
- Abuse Unquoted service paths
|
| | Abusing Other Windows Components | - Leverage Scheduled Tasks to elevate our privileges
- Understand the different types of exploits leading to privilege
- escalation
- Abuse privileges to execute code as privileged user accounts
|
| Linux Privilege Escalation | Enumerating Linux | - Understand files and users privileges on Linux
- Perform manual enumeration
- Conduct automated enumeration
|
| | Exposed Confidential Information | - Understand user history files
- Inspect user trails for credential harvesting
- Inspect system trails for credential harvesting
|
| | Insecure File Permissions | - Abuse insecure cron jobs to escalate privileges
- Abuse insecure file permissions to escalate privileges
|
| | Insecure System Components | - Abuse SUID programs and capabilities for privilege escalation
- Circumvent special sudo permissions to escalate privileges
- Enumerate the system's kernel for known vulnerabilities, then abuse them for privilege escalation
|
| Port Redirection and SSH Tunneling | Port Forwarding with *NIX Tools | - Learn about port forwarding
- Understand why and when to use port forwarding
- Use Socat for port forwarding
|
| | SSH Tunneling | - Learn about SSH tunneling
- Understand how to perform SSH local port forwarding
- Understand how to perform SSH dynamic port forwarding
- Understand how to perform SSH remote port forwarding
- Understand how to perform SSH remote dynamic port forwarding
|
| | Port Forwarding with Windows Tools | - Understand port forwarding and tunneling with ssh.exe on Windows
- Understand port forwarding and tunneling with Plink
- Understand port forwarding with Netsh
|
| Advanced Tunneling | Tunneling Through Deep Packet Inspection | - Learn about HTTP tunneling
- Understand how to perform HTTP tunneling with Chisel
- Learn about DNS tunneling
- Understand how to perform DNS tunneling with dnscat
|
| The Metasploit Framework | Getting Familiar with Metasploit | - Setup and navigate Metasploit
- Use auxiliary modules
- Leverage exploit modules
|
| | Using Metasploit Payloads | - Understand the differences between staged and non-staged payloads
- Explore the Meterpreter payload
- Create executable payloads
|
| | Performing Post-Exploitation with Metasploit | - Use core Meterpreter post-exploitation features
- Use post-exploitation modules
- Perform pivoting with Metasploit
|
| | Automating Metasploit | - Create resource scripts
- Use resource scripts in Metasploit
|
| Active Directory Introduction and Enumeration | Active Directory Manual Enumeration | - Enumerate Active Directory using legacy Windows applications
- Use PowerShell and .NET to perform additional AD enumeration
|
| | Manual Enumeration Expanding our Repertoire | - Enumerate Operating Systems Permissions and logged on users
- Enumerate Through Service Principal Names
- Enumerate Object Permissions
- Explore Domain Shares
|
| | Active Directory Automated Enumeration | - Collect domain data using SharpHound
- Analyze domain data using BloodHound
|
| Attacking Active Directory Authentication | Understanding Active Directory Authentication | - Understand NTLM Authentication
- Understand Kerberos Authentication
- Become familiar with cached AD Credentials
|
| | Performing Attacks on Active Directory Authentication | - Use password attacks to obtain valid user credentials
- Abuse enabled user account options
- Abuse the Kerberos SPN authentication mechanism
- Forge service tickets
- Impersonate a domain controller to retrieve any domain user credentials
|
| Lateral Movement in Active Directory | Active Directory Lateral Movement Techniques | - Understand WMI, WinRS, and WinRM lateral movement techniques
- Abuse PsExec for lateral movement
- Learn about Pass The Hash and Overpass The Hash as lateral movement techniques
- Misuse DCOM to move laterally
|
| | Active Directory Persistence | - Understand the general purpose of persistence techniques
- Leverage golden tickets as a persistence attack
- Learn about shadow copies and how can they be abused for persistence
|
| Assembling the Pieces | Enumerating the Public Network | - Enumerate machines on a public network
- Obtain useful information to utilize for later attacks
|
| | Attacking WEBSRV1 | - Utilize vulnerabilities in WordPress Plugins
- Crack the passphrase of a SSH private key
- Elevate privileges using sudo commands
- Leverage developer artifacts to obtain sensitive information
|
| | Gaining Access to the Internal Network | - Validate domain credentials from a nondomain-joined machine
- Perform phishing to get access to the internal network
|
| | Enumerating the Internal Network | - Gain situational awareness in a network
- Enumerate hosts, services, and sessions in a target network
- Identify attack vectors in a target network
|
| Attacking the Web Application on INTERNALSRV1 | - Perform Kerberoasting
- Abuse a WordPress Plugin function for a Relay attack
|
| | Gaining Access to the Domain Controller | - Gather information to prepare client-side attacks
- Leverage client fingerprinting to obtain information
|