|
Learning Module
|
Learning Units
|
Learning Objectives
|
|
Report Writing for Penetration Testers
|
Understanding Note-Taking |
- Review the deliverables for penetration testing engagements
- Understand the importance of note portability
- Identify the general structure of pentesting documentation
- Choose the right note-taking tool
- Understand the importance of taking screenshots
- Use tools to take screenshots
|
| |
Writing Effective Technical Penetration Testing Reports |
- Identify the purpose of a technical report
- Understand how to specifically tailor content
- Construct an Executive Summary
- Account for specific test environment considerations
- Create a technical summary
- Describe technical findings and recommendations
- Recognize when to use appendices, resources, and references
|
|
Information Gathering
|
The Penetration Testing Lifecycle |
- Understand the stages of a Penetration Test
- Learn the role of Information Gathering inside each stage
-
Understand the differences between Active and
Passive
Information Gathering
|
| |
Passive Information Gathering |
-
Understand the two different Passive Information
Gathering approaches
- Learn about Open Source Intelligence (OSINT)
- Understand Web Server and DNS passive information gathering
|
| |
Active Information Gathering |
- Learn to perform Netcat and Netmap port scanning
- Conduct DNS, SMB, SMTP, and SNMP Enumeration
- Understand Living off the Land techniques
|
|
Vulnerability Scanning
|
Vulnerability Scanning Theory |
-
Gain a basic understanding of the Vulnerability
Scanning
process
- Learn about the different types of Vulnerability Scans
- Understand the considerations of a Vulnerability Scan
|
| |
Vulnerability Scanning with Nessus |
- Install Nessus
- Understand the different Nessus components
- Configure and perform a vulnerability scan
-
Understand and work with the results of a vulnerability
scan with Nessus
-
Provide credentials to perform an authenticated
vulnerability
scan
- Gain a basic understanding of Nessus plugins
|
| |
Vulnerability Scanning with Nmap |
- Understand the basics of the Nmap Scripting Engine (NSE)
- Perform a lightweight Vulnerability Scan with Nmap
- Work with custom NSE scripts
|
|
Introduction to Web Applications
|
Web Application Assessment Methodology |
- Understand web application security testing requirements
-
Learn different types and methodologies of web
application
testing
-
Learn about the OWASP Top10 and most common web
vulnerabilities
|
|
Web Application Assessment Tools |
- Perform common enumeration techniques on web applications
- Understand Web Proxies theory
-
Learn how Burp Suite proxy works for web application
testing
|
| |
Web Application Enumeration |
- Learn how to debug Web Application source code
-
Understand how to enumerate and inspect Headers,
Cookies, and Source Code
- Learn how to conduct API testing methodologies
|
| |
Cross-Site Scripting (XSS) |
- Understand Cross-Site Scripting vulnerability types
- Exploit basic Cross-Site Scripting
- Perform Privilege Escalation via Cross-Site Scripting
|
|
Common Web Application Attacks
|
Directory Traversal |
- Understand absolute and relative paths
- Learn how to exploit directory traversal vulnerabilities
- Use encoding for special characters
|
| |
File Inclusion Vulnerabilities |
-
Learn the difference between File Inclusion and
Directory
Traversal
- vulnerabilities
- Gain an understanding of File Inclusion vulnerabilities
-
Understand how to leverage Local File Inclusion
(LFI)
to obtain code
- Execution
- Explore PHP wrapper usage
- Learn how to perform Remote File Inclusion (RFI) attacks
|
| |
File Upload Vulnerabilities |
- Understand File Upload vulnerabilities
- Learn how to identify File Upload vulnerabilities
-
Explore different vectors to exploit File Upload
vulnerabilities
|
| |
Command Injection |
- Learn about command injection in web applications
- Use operating system commands for OS command injection
-
Understand how to leverage command injection
to gain
system access
|
|
SQL Injection Attacks
|
SQL Theory and Database Types |
- Refresh SQL theory fundamentals
- Learn different DB types
- Understand different SQL syntax
|
| |
Manual SQL Exploitation |
- Manually identify SQL injection vulnerabilities
- Understand UNION SQLi payloads
- Learn about Error SQLi payloads
- Understand Blind SQLi payloads
|
| |
Manual and Automated Code Execution |
- Exploit MSSQL Databases with xp_cmdshell
- Automate SQL Injection with SQLmap
|
|
Client-Side Attacks
|
Target Reconnaissance
|
- Gather information to prepare client-side attacks
- Leverage client fingerprinting to obtain information
|
| |
Exploiting Microsoft Office |
-
Understand variations of Microsoft Office client-side
attacks
- Install Microsoft Office
- Leverage Microsoft Word Macros
|
| |
Abusing Windows Library Files |
- Prepare an attack with Windows library files
- Leverage Windows shortcuts to obtain code execution
|
|
Locating Public Exploits
|
Getting Started |
- Understand the risk of executing untrusted exploits
-
Understand the importance of analyzing the exploit
code before execution
|
| |
Online Exploit Resources |
- Access multiple online exploit resources
- Differentiate between various online exploit resources
- Understand the risks between online exploit resources
- Use Google search operators to discover public exploits
|
| |
Offline Exploit Resources |
- Access Multiple Exploit Frameworks
- Use SearchSploit
- Use Nmap NSE Scripts
|
| |
Exploiting a Target |
-
Follow a basic penetration test workflow to enumerate
a target system
-
Completely exploit a machine that is vulnerable
to
public exploits
- Discover appropriate exploits for a target system
-
Execute a public exploit to gain a limited shell
on a target host
|
|
Fixing Exploits
|
Fixing Memory Corruption Exploits |
- Understand high-level buffer overflow theory
- Cross-compile binaries
- Modify and update memory corruption exploits
|
| |
Fixing Web Exploits |
- Fix web application exploits
- Troubleshoot common web application exploit issues
|
|
Antivirus Evasion
|
Antivirus Evasion Software Key Components and Operations |
- Recognize known vs unknown threats
- Understand AV key components
- Understand AV detection engines
|
| |
AV Evasion in Practice |
- Understand antivirus evasion testing best practices
- Manually evade AV solutions
- Leverage automated tools for AV evasion
|
|
Password Attacks
|
Attacking Network Services Logins |
- Attack SSH and RDP logins
- Attack HTTP POST login forms
|
| |
Password Cracking Fundamentals |
- Understand the fundamentals of password cracking
- Mutate wordlists
- Explain the basic password cracking methodology
- Attack password manager key files
- Attack the passphrase of SSH private keys
|
| |
Working with Password Hashes |
- Obtain and crack NTLM hashes
- Pass NTLM hashes
- Obtain and crack Net-NTLMv2 hashes
- Relay Net-NTLMv2 hashes
|
|
Windows Privilege Escalation
|
Enumerating Windows |
- Understand Windows privileges and access control mechanisms
- Obtain situational awareness
- Search for sensitive information on Windows systems
- Find sensitive information generated by PowerShell
- Become familiar with automated enumeration tools
|
| |
Leveraging Windows Services |
- Hijack service binaries
- Hijack service DLLs
- Abuse Unquoted service paths
|
| |
Abusing Other Windows Components |
- Leverage Scheduled Tasks to elevate our privileges
-
Understand the different types of exploits leading
to privilege
- escalation
-
Abuse privileges to execute code as privileged
user
accounts
|
|
Linux Privilege Escalation
|
Enumerating Linux |
- Understand files and users privileges on Linux
- Perform manual enumeration
- Conduct automated enumeration
|
| |
Exposed Confidential Information |
- Understand user history files
- Inspect user trails for credential harvesting
- Inspect system trails for credential harvesting
|
| |
Insecure File Permissions |
- Abuse insecure cron jobs to escalate privileges
- Abuse insecure file permissions to escalate privileges
|
| |
Insecure System Components |
-
Abuse SUID programs and capabilities for privilege
escalation
- Circumvent special sudo permissions to escalate privileges
-
Enumerate the system's kernel for known vulnerabilities,
then abuse them for privilege escalation
|
|
Port Redirection and SSH Tunneling
|
Port Forwarding with *NIX Tools |
- Learn about port forwarding
- Understand why and when to use port forwarding
- Use Socat for port forwarding
|
| |
SSH Tunneling |
- Learn about SSH tunneling
- Understand how to perform SSH local port forwarding
- Understand how to perform SSH dynamic port forwarding
- Understand how to perform SSH remote port forwarding
-
Understand how to perform SSH remote dynamic
port
forwarding
|
| |
Port Forwarding with Windows Tools |
-
Understand port forwarding and tunneling with
ssh.exe
on Windows
- Understand port forwarding and tunneling with Plink
- Understand port forwarding with Netsh
|
|
Advanced Tunneling
|
Tunneling Through Deep Packet Inspection |
- Learn about HTTP tunneling
- Understand how to perform HTTP tunneling with Chisel
- Learn about DNS tunneling
- Understand how to perform DNS tunneling with dnscat
|
|
The Metasploit Framework
|
Getting Familiar with Metasploit |
- Setup and navigate Metasploit
- Use auxiliary modules
- Leverage exploit modules
|
| |
Using Metasploit Payloads |
-
Understand the differences between staged and
non-staged
payloads
- Explore the Meterpreter payload
- Create executable payloads
|
| |
Performing Post-Exploitation with Metasploit |
- Use core Meterpreter post-exploitation features
- Use post-exploitation modules
- Perform pivoting with Metasploit
|
| |
Automating Metasploit |
- Create resource scripts
- Use resource scripts in Metasploit
|
|
Active Directory Introduction and Enumeration
|
Active Directory Manual Enumeration |
-
Enumerate Active Directory using legacy Windows
applications
-
Use PowerShell and .NET to perform additional
AD
enumeration
|
| |
Manual Enumeration Expanding our Repertoire |
- Enumerate Operating Systems Permissions and logged on users
- Enumerate Through Service Principal Names
- Enumerate Object Permissions
- Explore Domain Shares
|
| |
Active Directory Automated Enumeration |
- Collect domain data using SharpHound
- Analyze domain data using BloodHound
|
|
Attacking Active Directory Authentication
|
Understanding Active Directory Authentication |
- Understand NTLM Authentication
- Understand Kerberos Authentication
- Become familiar with cached AD Credentials
|
| |
Performing Attacks on Active Directory Authentication |
- Use password attacks to obtain valid user credentials
- Abuse enabled user account options
- Abuse the Kerberos SPN authentication mechanism
- Forge service tickets
-
Impersonate a domain controller to retrieve any
domain
user credentials
|
|
Lateral Movement in Active Directory
|
Active Directory Lateral Movement Techniques |
-
Understand WMI, WinRS, and WinRM lateral movement
techniques
- Abuse PsExec for lateral movement
-
Learn about Pass The Hash and Overpass The Hash
as
lateral movement techniques
- Misuse DCOM to move laterally
|
| |
Active Directory Persistence |
- Understand the general purpose of persistence techniques
- Leverage golden tickets as a persistence attack
-
Learn about shadow copies and how can they be
abused
for persistence
|
|
Assembling the Pieces
|
Enumerating the Public Network |
- Enumerate machines on a public network
- Obtain useful information to utilize for later attacks
|
| |
Attacking WEBSRV1 |
- Utilize vulnerabilities in WordPress Plugins
- Crack the passphrase of a SSH private key
- Elevate privileges using sudo commands
-
Leverage developer artifacts to obtain sensitive
information
|
| |
Gaining Access to the Internal Network |
- Validate domain credentials from a nondomain-joined machine
- Perform phishing to get access to the internal network
|
| |
Enumerating the Internal Network |
- Gain situational awareness in a network
- Enumerate hosts, services, and sessions in a target network
- Identify attack vectors in a target network
|
|
Attacking the Web Application on INTERNALSRV1 |
- Perform Kerberoasting
- Abuse a WordPress Plugin function for a Relay attack
|
| |
Gaining Access to the Domain Controller |
- Gather information to prepare client-side attacks
- Leverage client fingerprinting to obtain information
|