Anda di halaman 1dari 17

The Worlds Premier Online Penetration testing course

PTPv2 in pills:
Self-paced, online, flexible access 2400+ interactive slides and 9 hours of video material Three top level authors Three knowledge domains Incredibly in depth coverage of every technique Two virtual labs for Network, System and Web application security hands-on sessions

Dozens of real world vulnerable networks and websites


Reporting skills covered in depth Prepares for ECPPT certification Prepares for real world Penetration testing jobs This training course has been chosen by students in 82 countries in the world and by leading organization such as:

Course home page: http://www.elearnsecurity.com/course/penetration_testing/

System security section will provide you with thorough understanding of x86 Architecture and its weaknesses.
- Module 1: Introduction - Module 2: Cryptography and Password Cracking Module 3: Buffer Overflow Module 4: Shellcoding Module 5: Malware Module 6: Rootkit coding

In this module you will learn basics of C++, ASM and x86 Architecture. Samples source codes of C++ and Assembly language are provided in order to get the student familiar with these languages. Advanced buffer overflow exploitation, shellcoding and rootkit coding will require compilers and assemblers that you will get familiar with in this module.

1. Introduction 1.1. Dev-Cpp 1.1.1. Using Dev-Cpp 1.1.2. C++ Video 1.2. Nasm Assembler 1.2.1. NasmX Assembler Introduction 1.2.2. X86 Stack 1.2.3. PUSH and POP 1.2.4. EBP/ESP functionality 1.3. Immunity Debugger 1.3.1. Sample Driver 1.3.2. Compiling your Driver 1.3.3. Using a Driver 1.3.4. Viewing Driver Output

Hera Labs are included in this module

Almost all penetration tests engagement require the understanding of cryptographic aspects. This module will ensure that youre current with the most common cryptographic technologies, algorithms and tools. You will also learn how to perform

2. Cryptography & Password Cracking 2.1. Introduction 2.2. Classification 2.3. Cryptographic Hash Function 2.4. Public Key Infrastructure 2.5. PGP 2.6. Secure Shell (SSH) 2.6.1. SSH Tunneling 2.6.2. SSH Tunneling video 2.7. Cryptographic attacks

advanced password cracking using the best tools available. A thorough review of the most modern tools used to steal and crack Windows password hashes is provided.

2.8. Security pitfalls in implementing Cryptography Systems 2.9. Windows Passwords 2.9.1. LM and NT hashes 2.9.2. SAM 2.9.3. Stealing hashes Remote 2.9.4. Stealing hashes Local 2.9.5. Stealing hashes Live host 2.9.6. Stealing hashes Offline 2.9.7. Pass the hash 2.9.8. Cracking the hash

Finding and exploiting buffer overflows in real world applications is what you will learn during this incredibly handson module. A hard topic made easy through examples explained step by step starting from the very basics of stack manipulation. Armed with assemblers, compilers and debuggers the students will learn how to hijack the execution of applications. At the end of the module, the student is exposed to the most modern techniques used to prevent Buffer overflows and the main methods to bypass them.

3. Buffer Overflow 3.1. Introduction 3.2. The Stack 3.2.1. X86 Stack Frames Samples 3.3. Buffer Overflows 3.3.1. Gaining control of EIP 3.3.2. Steps to trigger the Overflow 3.4. Finding Buffer Overflows 3.4.1. Fuzzing 3.4.2. Identifying Buffer overflows after a crash 3.5. Exploiting real world Buffer Overflows 3.5.1. 32Bit FTP Client exploitation 3.6. ASLR and DEP 3.6.1. ASLR Brute forcing 3.6.2. ASLR NOP Sleds 3.6.3. ASLR Non randomized memory 3.6.4. DEP

Hera Labs are included in this module

The art of Shellcoding is made available to anyone through easy to understand samples and real world complex scenarios.

4. Shellcoding 4.1. Execution of Shellcode 4.2. Types of Shellcode 4.3. Shellcode encoding 4.3.1. Null free shellcode A small part of theoretical aspects will 4.3.2. Alphanumeric shellcode introduce the practical examples where 4.3.3. Percentage encoding you will actually create your own 4.4. Sample 1 : Shellcoding framework shellcode through the use of compilers 4.5. Sleep() Shellcode and assemblers. 4.6. Writing Universal Shellcode for Windows Different techniques are shown in 4.6.1. Finding kernel32.dll address order to let you create your own 4.6.2. Resolving references at runtime shellcode. 4.7. Sample 2 : OS Independent shellcode Three source code examples are 4.8. Sample 3 : Privilege escalation explained line by line. shellcodes 4.8.1. Setting up Windows for . Debugging 4.8.2. The logic behind privilege escalation 4.8.3. The Driver Architecture 4.8.4. Sample Driver Framework code for Kernel privilege escalation Hera Labs are included in this module

A thorough and detailed classification of types of malware is the introduction of a module featuring the most advanced and obscure techniques used by modern malwares. The module is enriched as three malware source codes are dissected and explained line by line: a Keylogger, a Trojan and a Virus.

5. Malware 5.1. Classification 5.2. Techniques used by Malware 5.2.1. Streams 5.2.2. Hooking SSDT 5.2.3. Hooking IRP 5.2.4. Hiding a process 5.2.5. API Hooking 5.2.5.1. IAT Hooking 5.2.5.2. EAT Hooking 5.2.5.3. Inline Hooking 5.2.6. Anti-Debugging methods 5.2.7. Anti-Virtual machine methods 5.2.8. Obfuscation

5.2.9. Packers 5.2.10. Polymorphism 5.2.11. Metamorphism 5.2.11.1. Garbage Insertion 5.2.11.2. Registers Exchange 5.2.11.3. Permutation 5.3. How malware spreads 5.3.1. Null free shellcode 5.3.2. Alphanumeric shellcode 5.3.3. Percentage encoding 5.4. Real world Samples 5.4.1. Sample 1 : Keylogger 5.4.2. Sample 2 : Trojan 5.4.3. Sample 3 : Virus

From the creators of the first Windows 7 BIOS Rootkit, this module will cover the basics and the most important aspects of rootkit coding. A brief classification will introduce you to 3 rootkit source code snippets uncovering the most used techniques used by rootkits. You will be able to understand and code rootkit yourself using the Windows Driver Development Kit and perform advanced covert penetration testing

6. Rootkits 6.1. Rootkits Classification 6.2. Sample 1 : Hiding a process 6.3. Sample 2 : Controlling File Access 6.4. Sample 3 : Hiding Files

Network security section will deal with the security testing methodology, techniques and tools for networked PC and devices.
- Module 1: Information Gathering - Module 2: Scanning - Module 3: Enumeration - Module 4: Sniffing and MITM attacks - Module 5: Exploitation - Module 6: Post-exploitation - Module 7: Anonymity - Module 8: Social Engineering

The Information Gathering module is the most important phase of the overall engagement. As much as criminals do, a Penetration tester will use the information collected during this phase to map the attack surface and increase his chances to breach the organization. eLearnSecurity proposes an extremely thorough investigation methodology taking into account: the Business and the Infrastructure of the client. Students will learn how to get access to valuable, sensitive and sometimes secret documents by means of free services, databases and specialized search engines. Infrastructure Information gathering will deal with the enumeration of DNSs, Domains, Nnetblocks and other web assets belonging to the organization.

1. Information Gathering 1.1. Introduction 1.2. OSINT / Search Engines 1.2.1. Organization Web Presence 1.2.2. Finding government contracts 1.2.3. Partners and third parties 1.2.4. Job postings 1.2.5. Financial information 1.2.6. Information Harvesting 1.2.6.1. theHarvester 1.2.6.2. esearchy 1.2.7. Cached information 1.3. OSINT / Social Media 1.3.1. People search and investigation 1.3.2. Real world information gathering against eLSFoo 1.4. Infrastructure information gathering 1.4.1. Domains 1.4.1.1. DNS Enumeration 1.4.1.2. IPs 1.4.1.3. Netblocks & ASs 1.4.2. Netblocks 1.4.2.1. Alive hosts 1.4.2.2. DNS Enumeration 1.5. Tools 1.5.1. DNS Enum 1.5.2. DNS Map

1.5.3. Fierce 1.5.4. Foca & Shodan Hera Labs are included in this module. The student is also required to conduct an investigation against a real company

2. Scanning As one of the most important steps in 2.1. Introduction the penetration test of a network, this 2.2. Detecting Alive hosts and open Ports module will first teach you the theory 2.2.1. Nmap behind port scanning and service 2.2.1.1. SYN scan reconnaissance. 2.2.1.2. Connect scan 2.2.1.3. UDP scan If youre not into networking, the first 2.2.1.4. Idle scan chapters of this module will introduce 2.2.1.5. NULL / FIN / Xmas you to the basics of TCP and other 2.2.1.6. ACK scan network protocols. 2.2.1.7. IP scan 2.2.2. SuperScan We will then show you how to use the 2.2.2.1. Win Enumeration best tools to detect alive hosts, open 2.2.3. Hping2 ports and services running on them. 2.3. Firewall/IDS evasion techniques 2.3.1. Fragmentation Through Nmap and Hping2, you will 2.3.2. Decoys learn how to find zombies to mount 2.3.3. Timing completely stealth port scans against a 2.3.4. Using source ports target. 2.4. Detecting services 2.4.1. Banner grabbing Passive and Active OS fingerprinting 2.4.2. Passive/Active Fingerprinting techniques will also be covered in 2.5. Other Tools depth. 2.5.1. Amap 2.5.2. UnicornScan 2.5.3. P0f Hera Labs are included in this module

Scope of this module is to provide you with the techniques professional penetration testers employ to enumerate resources on target. You will be able to explore, enumerate and map the remote network and its available services through a number of different Windows and Unix tools. NetBIOS is the subject of the first part of this module: real world examples will be explained to show most important techniques and tools to enumerate remote Windows shares and printers. You will also learn how to test for NetBIOS Null Sessions that still affect old Windows versions. SNMP will be explained in all its basic parts. The student will then be introduced to attacks to the protocols through a number of common tools.

3. Enumeration 3.1. Introduction 3.2. NetBIOS 3.2.1. What is NetBIOS 3.2.2. How NetBIOS works 3.2.3. NetBIOS commands and tools 3.2.3.1. NAT 3.2.3.2. Winfo 3.2.3.3. Winfingerprint 3.2.3.4. SID2USER / USER2SID 3.3. SNMP 3.3.1. What it is 3.3.2. How it works (Agents, MIB, OID) 3.3.3. SNMP commands 3.3.4. SNMP Attacks 3.3.4.1. Cracking community strings 3.3.4.2. Snmpwalk 3.3.4.3. Snmpenum 3.3.4.4. Snmpset 3.3.4.5. Snmpbrute 3.3.4.6. Onesixtyone

Studying ARP, how it works and how it can be manipulated to mount sophisticated attacks is made extremely easy to understand. Sniffing is a technique that you will be able to fully grasp in its most practical aspects. Well make sure you have enough basics of networking theory before we cover actual attacking scenarios using

4. Sniffing & MITM 4.1. What sniffing means 4.2. Sniffing 4.2.1. Passive Sniffing 4.2.2. Active Sniffing 4.2.2.1. MAC Flooding 4.2.2.2. ARP Poisoning 4.2.2.3. Basics of ARP 4.2.3. Tools 4.2.3.1. Dsniff 4.2.3.2. Wireshark 4.2.3.3. Tcpdump 4.2.3.4. Windump

the best tools available. Man in the middle attacks are one of the most used penetration testing techniques today: you will be able to mount man in the middle attacks within local networks and over the Internet.

4.3. Man in the middle (MITM) attacks 4.3.1. What they are 4.3.2. ARP Poisoning for MITM 4.3.3. Local to Remote MITM 4.3.4. DHCP Poisoning 4.3.5. MITM in Public Key exchance 4.3.6. How it works (Agents, MIB, OID) 4.3.7. SNMP commands 4.4. Intercepting SSL traffic 4.4.1. SSLStrip & Ettercap

This module will teach the student how to master Nessus in order to perform thorough and targeted Vulnerability scans with Nessus. Windows authentication protocols are dissected in all their parts to demonstrate weaknesses and related attacks from Metasploit. The student is then immersed in common exploitation techniques used by todays Penetration testers, to exploit client side and remote vulnerabilities in Workstations and Servers.

5. VA & Exploitation 5.1. Vulnerability Assessment 5.1.1. Nessus 5.2. Low Hanging Fruits 5.2.1. Cracking network services: SSH, SMB, VNC, RDP, Telnet, FTP 5.3. Exploitation 5.3.1. Intro to Metasploit 5.3.2. Windows LM/NTLM/NTLMv2 weaknesses 5.3.3. Metasploit and SET advanced use : Client Side exploitation againt Windows and Linux 5.3.4. Metasploit advanced use : Remote exploitation

The module is video and lab intensive. Hera Labs are included in this module

eLearnSecurity experienced instructors have come up with a proven methodology to conduct thorough Exploitation of remote internal networks through advanced Post exploitation techniques. Once the student is comfortable with most recent exploitation techniques, he will be exposed to the cyclic steps of a successful Post exploitation phase. This is the phase where criminals ensure stable high privileged access to the remote network in order to steal and ex-filtrate documents and credentials from the organization. Penetration testers must ensure to possess the same skill-set and tools in order to test not only the perimeter security but also any kind of internal weakness that affects the organization security.

This is a video and hands-on intensive module Hera Labs are included in this module

6. Post Exploitation 6.1. Introduction to the Methodology 6.2. Maintaining access and Privilege escalation 6.2.1. Privilege escalation 6.2.1.1. Migration and Getsystem 6.2.1.2. Privilege Escalation on Win Server 2008 and Windows 7 6.2.2. Maintaining access to the compromised machine 6.2.2.1. Crack / Pass the hash 6.2.2.2. Backdoors 6.2.2.3. RDP / Telnet 6.3. Data Harvesting 6.3.1. Determining machine role in the remote network 6.3.2. Harvesting documents 6.3.3. Harvesting stored credentials 6.3.4. Harvesting web browsers data 6.3.5. Keylogging 6.4. Mapping the Internal Network 6.4.1. ARP Scanning 6.4.2. Pivoting 6.4.3. Port scanning internal network 6.5. Further Pivoted Exploitation 6.5.1. Pass the hash

Penetration testers rarely need to cover their tracks. However there are times when testing the efficiency of the target organization incident response team is within the scope of a Penetration testers engagement. This module will teach techniques to perform your tests while covering your tracks.

7. Anonymity 7.1. Browsing Anonymously 7.1.1. HTTP Proxies 7.1.2. Tor Network 7.2. Tunneling for Anonymity 7.2.1. Creating SSH Tunnels 7.3. Cleaning traces

10

Social engineering module will guide you through the most modern social engineering attack techniques. Real world attacks will be illustrated exploiting the potential of social networks such as Facebook, Spokeo or Twitter. Almost 1 hour of video lessons will teach you everything you need to know to master the most important tool in the field: Social Engineering Toolkit.

8. Social Engineering 8.1. What is Social Engineering 8.2. Types of Social Engineering 8.2.1. Pretexting 8.2.2. Phishing 8.2.3. Baiting 8.2.4. Physical 8.3. Samples of Social Engineering attacks 8.3.1. Canadian Lottery 8.3.2. FBI E-mail 8.4. Pretexting samples 8.5. Role of Social Networks in Social Engineering 8.5.1. Pipl 8.5.2. Spokeo 8.6. Social engineering toolkit (SET)

11

Todays Penetration testers have to master web application attack techniques: this lab intensive section will teach the student how to conduct a thorough Penetration test against web applications.
- Module 1: Introduction - Module 2: Information Gathering - Module 3: Vulnerability assessment - Module 4: Cross site scripting - Module 5: SQL Injection - Module 6: Advanced Web Attacks

1. Introduction to Web Applications 1.1. Introduction 1.1.1. Sessions 1.1.2. Headers 1.1.3. Same origin policy If youre new to this field you will 1.2. Terminology gather all the skills you need to move to 1.3. Tools next more advanced modules. 1.3.1. Burp Suite This module will introduce you to the web application security field and its basic terminology. If youre already an advanced web application security tester you will get introduced to the methodology and tools followed throughout the course. Coliseum Labs are included in this module

12

2. Information Gathering Web application information gathering 2.1. Gathering Information On Target is a complex and long process. 2.1.1. Finding Owner, IP Addresses And Email Addresses It takes insight, guts and perseverance. 2.1.1.1. WHOIS tools 2.1.1.2. DNS queries and zone You will learn the best methodologies transfers to collect and store information about 2.1.1.3. Using Nslookup your target web assets. 2.2. Infrastructure 2.2.1. Fingerprinting The Webserver This information will be used at later 2.2.1.1. Fingerprinting steps in the exploitation process. Webserver Modules 2.2.1.2. Typical HTTP Services At the end of this module you will be 2.3. Fingerprinting Frameworks And able to have so much information Applications about your target that exploiting it will 2.3.1. Fingerprinting Third-Party Addbe easy and fun. Ons 2.4. Fingerprinting Custom Applications 2.4.1. Mapping The Attack Surface 2.5. Enumerating Resources 2.5.1. Crawling The Website 2.5.2. Finding Hidden Files 2.5.2.1. Finding Back Up And Source Code Files 2.5.3. Enumerating users accounts with Burp Proxy 2.6. Relevant Information Through Misconfigurations 2.6.1. Directory Listing 2.6.2. Log And Configuration Files 2.7. Google Hacking Coliseum Labs are included in this module

13

Vulnerability Assessment is the process through which you will uncover all the vulnerabilities in the remote system. This step is absolutely necessary when the remote web server is in the scope of the tests or when the target uses third party web applications. At the end of this module you will master the two most used open source tools, Nessus and Nikto, to perform Vulnerability Assessment against web applications.

3. Vulnerability Assessment 3.1. Vulnerability Assessment 3.1.1. Vulnerability assessment VS Penetration testing 3.2. Assessing vulnerabilities with Nessus 3.3. Nikto 3.3.1. Creating Nikto Modules

You will also be capable of customizing Nikto to make it current with the latest vulnerabilities. Coliseum Labs are included in this module

The most widespread web application vulnerability will be dissected and studied in all its parts. At first you will be provided with theoretical explanation. This understanding will help you in the exploitation and remediation process. Later you will master all the techniques to find XSS vulnerabilities through black box testing and within PHP code.

Real world exploitation examples will conclude the module: you will finally steal session cookies, modify website DOM and perform advanced phishing attacks. This is a hands-on intensive module. Coliseum Labs are included in this module

4. XSS 4.1. Cross site scripting 4.1.1. Basics 4.2. Anatomy of a XSS exploitation 4.3. The three types of XSS 4.3.1. Reflected XSS 4.3.2. Persistent XSS 4.3.3. DOM-based XSS 4.4. Finding XSS 4.4.1. Finding XSS in PHP code 4.5. XSS Exploitation 4.5.1. XSS, Browsers and same origin policy 4.5.2. Real world attacks 4.5.2.1. Cookie stealing through XSS 4.5.2.2. Defacement 4.5.2.3. Advanced phishing attacks

14

This module will contain the most advanced techniques to find and exploit SQL Injections. From the explanation of the most basic SQL injec-tion up to the most advanced. Advanced methods will be taught with real world examples and the best tools will be demonstrated on real targets. You will not just be able to dump remote databases but also get root on the remote machine through advanced SQL Injection techniques. Tools will be covered in depth and a taxonomy will help the student to pick the right tool according to the environment and scenario he will face in real engagements.

5. SQL Injection 5.1. Introduction to SQL Injection 5.1.1. Dangers of a SQL Injection 5.1.2. How SQL Injection works 5.2. How to find SQL injections 5.2.1. How to find SQL injections 5.2.2. Finding Blind SQL Injections 5.3. SQL Injection Exploitation 5.3.1. Exploiting Union SQL Injections 5.4. Exploiting Error Based SQL Injections 5.4.1. Dumping database data 5.4.2. Reading remote file system 5.4.3. Accessing the remote network 5.5. Exploiting Blind SQL Injection 5.5.1. Optimized Blind SQL Injections 5.5.2. Time Based SQL Injections 5.6. Tools 5.6.1. SQLmap, BSQL Hacker, Pangolin 5.6.2. Tools taxonomy

This is a video and hands-on intensive module Coliseum Labs are included in this module

15

6. Advanced Web Attacks Sophisticated attacks to web 6.1. Introduction applications are the subject of this 6.2. Session attacks module. 6.2.1. HTTP Session Fixation 6.2.2. Preventing Session Fixation Session Fixation and CSRF are 6.3. CSRF underestimated and overlooked 6.3.1. Finding CSRF vulnerabilities. They will be covered in 6.3.2. Exploiting CSRF depth. 6.3.3. Preventing CSRF 6.4. File Inclusion Vulnerabilities A working exploit will be created step 6.4.1. Local File Inclusion by step to demonstrate a CSRF 6.4.2. Remote File Inclusion vulnerability found in a famous CMS. 6.5. Web 2.0 attacks 6.5.1. How Ajax works Last but not least you will learn how to 6.5.2. Defeating httpOnly XST & Ajax audit web 6.5.3. Dissecting Ajax APIs 6.5.4. Reverse engineering Ajax 2.0 applications dissecting Ajax APIs, applications logic frameworks and exposed 6.5.5. Exposed administrative functionalities. functions Coliseum Labs are included in this module

16

About eLearnSecurity Based in Pisa, Italy, with a location in Colorado, USA, eLearnSecurity is a leading provider of IT security and penetration testing courses for IT professionals. eLearnSecurity advances the careers of IT security professionals by providing affordable top-level instruction. We use engaging eLearning and the most effective mix of theory, practice and methodology in IT security all with real-world lessons that students can immediately apply to build relevant skills and keep their companies data and systems safe. For more information, visit http://www.elearnsecurity.com.

2012 eLearnSecurity S.R.L Via Carnelutti 11 56124 Pisa, Italy For more information, please visit http://www.elearnsecurity.com.

17