Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner, including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast for distance learning, in any form or by any means such as any information storage, transmission, or retrieval system, without prior written permission from the author.
Table of Contents Network Penetration Testing Assignments... 3 Footprinting / Network Mapping... 3 Information Gathering... 3 Scanning and Enumeration... 3 Service identification... 4 Vulnerability Testing... 5 Exploitation... 5 Reporting... 5 Web Application Penetration Test Assignments... 6 Configuration Management Analysis... 6 Analysis of Authentication... 6 Session Management Analysis... 6 Analysis of Authorisation... 6 Data Validation Analysis... 7 Analysis of Web Services... 7 Reporting... 7 Technical Lessons (course Materials)... 8 LAB Milestones... 10 LAB Network Diagram... 10 Certifications... 12 Certified Cyber 51 Pentesting Associate (CC51PA)... 12 Certified Cyber 51 Pentesting Professional (CC51PP)... 12 Certified Cyber 51 Pentesting Expert (CC51PE)... 12 How to achieve certifications during this course?... 12
Network Penetration Testing Assignments Footprinting / Network Mapping Information Gathering Milestones Domain names Server names IP address information Network Topology ISP details General Internet presence Company Profile Tasks involved Examine and gather information about domain registries. Find IP address blocks Names and locations of DNS servers Use of multiple traces in order to identify systems and devices in-between. Identify email addresses related to the company or business Identify newsgroups, forums and boards where information related to the company or business is found. Examine web sites and script source codes Examine email headers Scanning and Enumeration Milestones Ports open, closed and filtered IP addresses of production systems IP addresses of Internal networks Asset Services Network Mapping Discover any tunnelled and encapsulated protocols List supported routing protocols Application type and patch level Type of operating systems Tasks Collection of responses from the network
Test TTL and fire walking Use ICMP and reverse lookup to determine the existence of machines on the network Use TCP fragments with FIN, NULL and XMAS on ports 21, 22,25,80 and 443 on the hosts found on the network Use TCP SYN on ports 21, 22, 25.80 and 443 on the hosts found on the network. Attempt connections to DNS servers Use TCP SYN (half open) to list ports that are closed or open filtered all hosts on the network found Use TCP fragments to ports and services available on the host Use UDP packets to list all open ports found on the network host Identification of standard protocols Identification of non-standard protocols Identification of encrypted protocols Identify date, time and system up-time Identify the predictability of TCP sequence numbers Identify the predictability of TCP sequence number ISN Service identification Milestones Type of services Application version and type that offers the service Tasks Match each open port with its corresponding service Identify the Server Up-Time and patches applied Identify the application that provides the service through the use of fingerprinting and banners Identify the version of the application Use UDP based services and Trojans attempt to make connections to the services found System Identification Milestones Type of the operating system Patch Levels Type of the system Enumeration of the system Tasks Examine system responses to determine your operating system Check the prediction of TCP sequence numbers
Vulnerability Analysis Vulnerability Testing Milestones Type of applications and services listed by vulnerability Patch Level of systems and applications List of vulnerabilities that can cause a denial of service condition List of areas secured by obscurity Tasks Integrate the most popular scanners, hacking tools and exploits in this test Measure the goal with those tools Identification of vulnerabilities on the target systems and application types Perform redundant testing with at least two scanners as well as manually Identify the vulnerabilities of the operating system Identify application vulnerabilities Exploitation Sample attack scenarios in this phase include, but aren t limited to: Buffer overflows Application or system configuration issues Routing issues DNS attacks Address spoofing Shared access and exploitation of inherent system trust relationships Reporting Creation of executive, managerial and technical reports
Web Application Penetration Test Assignments Configuration Management Analysis TLS and SSL tests Security Testing on the listener of management system databases Testing the configuration of the infrastructure and its relationship with the Web application, vulnerability analysis, analysis of authentication mechanisms and identification of all ports used by the Web application Testing application settings, data-mine through directories and regular files, comments from developers and the eventual acquisition and operational analysis of logs generated by the application Searching for old files, backups, logs of operations and other files used by the Web application Search and test management interfaces or web application related infrastructure Test various HTTP methods supported and the possibilities of XST (Cross-Site Tracing) Analysis of Authentication Credential management Enumeration of easiliy identifiable users and user accounts Proof of identification credentials brute force, based on the information found or inferred Testing authentication mechanisms and looking for evasion ability or technique Logout mechanisms and weaknesses associated with the Internet browser cache Strength tests over CAPTCHAs and any testing of multi-factor authentication. Session Management Analysis Session management schemes will be tested CSRF (Cross-Site Request Forgery) Testing attributes cookies Setting sessions Evidence of attributes exposed session and repetition Analysis of Authorisation Privilege escalation "Path Traversal" Evidence of evasion of clearance mechanisms
Testing the "business logic" of the Web application, avoiding, altering, or cheating on their relationships within the application. Data Validation Analysis Test various XSS (Cross Site Scripting) and "Cross Site Flashing" SQL Injection tests LDAP injection tests Evidence of ORM injection XML Injection tests SSI injection testing Testing XPath injection Injection Test on IMAP / SMTP Evidence Code Injection Injection Test with Operating System commands Evidence of buffer overflow Evidence of Splitting / Smuggling of HTTP Evidence of evasion of clearance mechanisms Evidence of privilege escalation Analysis of Web Services Security testing of WSDL Evidence of structural Security of XML Testing of security at XML content Testing HTTP GET parameters / REST Tests with contaminated SOAP attachments Repeated testing of web services Testing AJAX Web application vulnerabilities related to the respective technology Reporting Creation of executive, managerial and technical reports
Technical Lessons (Course Materials) 1. Port Scanning a. TCP Port Scanning Basics b. UDP Port Scanning Basics c. Port Scanning Pitfalls d. NMAP i. Network Sweeping ii. OS Fingerprinting iii. Banner Grabbing/Service Enumeration iv. NMAP Scripting Engine e. PBNJ f. Unicornscan 2. Buffer Overflow Exploitation a. Looking for Bugs b. Fuzzing i. Exploiting Windows Buffer Overflows ii. Replicating the Crash iii. Controlling EIP iv. Locating Space for Shellcode v. Redirecting the Execution Flow vi. Finding a Return Address vii. Basic Shellcode Creation viii. Getting the Shell c. Exploiting Linux Buffer Overflows d. Setting Up e. Controlling EIP f. Landing the Shell g. Avoiding ASLR
3. Exploit Frameworks a. Metasploit b. Interesting Payloads i. Meterpreter Payload ii. Binary Payloads 4. Web Application Attack Vectors a. Cross Site Scripting i. Information Gathering ii. Browser Redirection and iframe Injection iii. Stealing Cookies and Abusing Sessions b. Local and Remote File Inclusion c. SQL Injection in PHP/MySQL i. Authentication Bypass ii. Enumerating the Database iii. Code Execution d. SQL Injection in ASP/MSSQL i. Identifying SQL Injection Vulnerabilities ii. Enumerating Table Names iii. Enumerating Column Types iv. Fiddling with the Database v. Microsoft SQL Stored Procedures vi. Code Execution
LAB Milestones LAB Network Diagram The students access the LAB via a VPN connection to a Segment A network. Inside Segment A, students will learn how to perform reconnaissance and scanning and finally, how to exploit vulnerabilities (Learn Exploitation Tools and Techniques).
LAB Milestones (phase 1): A. Take over a system (get admin privileges) on segment A B. Take over a system (get admin privileges) on segment B C. Exploit all vulnerabilities on segment A (X.X.X.X) Note: Students need to provide a report with evidence in order to clear phase 1. Then students will learn exploitation tools and techniques for web application assessments. LAB Milestones (phase 2): D. Take over a system (get admin privileges) on segment C (X.X.X.X) E. Take over a 2nd system (get admin privileges) on segment B (X.X.X.X) 1. Grab the trophy.txt file from machine's desktop LAB Milestones (phase 3): F. Take over a 2nd system (get admin privileges) on segment C (X.X.X.X) G. Take over a 3rd system (get admin privileges) on segment C (X.X.X.X) 2. Grab the trophy-2.txt file from machine's desktop LAB Tricks: Segment A: Does not have Internet access. Only one system in segment A has access through a Firewall to Segment B Segment B: This segment has Internet access. Only one system in segment B has access through a Firewall to Segment C Segment C: Does not have Internet access. Only one system in segment C has access through a Firewall to another different system located in the Segment C. There is a hardened system that needs to be taken over.
Certifications Certified Cyber 51 Pentesting Associate (CC51PA) Certified Cyber 51 Pentesting Professional (CC51PP) Certified Cyber 51 Pentesting Expert (CC51PE) Unlike other available industry certifications, the certifications at Cyber 51 are a lot harder to achieve. Delegates must prove hands-on experience and know-how in order to solve real world challenges. You won't find multiple choice questions or simple walk-through tasks. Cyber 51 certified individuals have shown Senior Penetration Testers and Ethical Hackers that they CAN ACTUALLY DO IT. How many so-called "Ethical Hackers & Penetration Testers" are out there, who simply braindump their way through? Numerous websites offer those dumps at less than $100 USD and everybody with a halfway decent memory can pass those exams. What's the benefit to an employer or customer to hire a brain-dumped Expert? None, because that person usually doesn't have the slightest idea how to perform a real world Penetration Test. Cyber 51 really tests the hands-on skills and people who pass our certifications REALLY KNOW how to perform Penetration Tests and Ethical Hacking tasks. How to achieve certifications during this course? By completing phase 1 (A, B and C milestones) you become a: Certified Cyber 51 Pentesting Associate (CC51PA) By bompleting phase 2 (D and E.1 milestones) you become a: Certified Cyber 51 Pentesting Professional (CC51PP) By completing phase 3 (F and G.2 milestones) you become a: Certified Cyber 51 Pentesting Expert (CC51PE)