Master Penetration

Testing and Red

Teaming

Duration: 220 hrs.

Content:

 Network & OSA Basics

(network fundamentals – OS Basics)
 Web Crash course
 Intro to cyber security
 Network penetration testing
 Web penetration testing
 Mobile penetration testing (android –IOS)
Level 1 : Network ,OS and Web preparation course

Network &OSA preparation course 40hrs.

 Intro to networks
 Network protocols
 OSI Model
 Ipv4 &ipv6
 Switch basic configuration
 Switching protocols (VLAN – STP – SVI –HSRP –Port security )
 Switching security and mitigations
 Routing protocols dynamic & static
 WAN Technologies
 Installing & administrating windows server
 Active directory services (domain controller – containers – OU –
Group policy)

WEB programming Crash course 40hrs

 HTML basics
 Css basics
 Js basics
 Bootstrap
 Ajex basics
 PHP Fundamentals
 SQL basics
Level 2 : RED Team penetration testing track
1- Web Applications Penetration Testing 40 hrs.

Module 0x01 - Introduction

1.1 - Web Apps
1.2 - Web Servers.
1.3 - HTTP Basics.
1.4 - Cookies.
1.5 - Encoding.
1.6 - WAF.
1.7 - Web Proxy.
1.8 - Web Vulnerabilities.
1.9 - Pentesting Methodology.
1.10 - History Of Web Application Vulnerabilities

Module 0x02 - Enumeration and Recon

1.1 - Introduction
1.2 - Scanning & Scanning tools
1.2.1 - Nmap
1.2.2 - Nikto
1.2.3 - Whatweb
1.3 - Banner Grabbing
1.5 - Dorks & “Google Hacking”
1.6 - DNS & DNS Enumeration
1.6.1 - DNSMap
1.6.2 - Fierce
 1.7 - Mapping Attack Surface
1.8 - Detecting Web Apps
1.9 - Detecting Web Application Firewall
1.10 - Detecting Hidden Files
1.11 - Identifying application entry points
1.12 - Spidering and crawling
1.13 - Burp Suite

Module 0x03 - Server Side Attacks

1.0 - SQL Injection
1.2 - introduction
1.3 - Types of databases.
1.4 - Command Crafting Example
1.5 - Blind SQL-Injection
1.6 - Time-Based SQL injection
1.7 - Countermeasures

2.0 - Command injection

2.1 - introduction
2.2 - Command injection: a real-life example.
2.3 - Countermeasures
3.0 - Parameter tampering
3.1 - introduction
3.2 - parameter tampering: a real life example.
3.3 - Countermeasures
4.0 - File inclusion
4.1 - LFi.
4.2 - Directory Traversal.
4.3 - Finding and Exploiting.
4.4 - From Fi to Webshell
5.0 - File Upload.
 5.1 - Basics.
5.2 - Unrestricted File Upload.
5.3 - From Upload to Defacement.
5.4 - Exercises & CTF

6.0 - Attack Authentication.

6.1 - Authentication VS. Authorization.
6.2 - Usernames Enumeration.
6.3 - Bruteforcing Attack.
6.4 - Bypassing Authentication.
6.5 - Exercises & CTF
7.0 - DOS Attacks.
8.0 - Sniffing Attacks.
9.0 - Exploitation Techniques.
10.0 - Exercises & CTF

Module 0x04 - Client-side attacks

1.0 - XSS (Cross site scripting)
1.2 - Reflective XSS
1.2.1 - Example: XSS based phishing attacks
1.3 - DOM-Based XSS
1.4 - DOM-Based XSS: A real life example
1.5 - Ramifications
1.5.1 - Session Hijacking
1.6 - Countermeasures

1.0 - CSRF/XSRF (Cross site request forgery)

1.1 - introduction
 1.2 - Exploiting GET Based CSRF.
1.3 - Exploiting POST Based CSRF.
1.4 - CSRF: A real life example
1.5 – Countermeasures

Module 0x05 - Reporting and responsible disclosure

1.0 - Reporting
1.1 - Responsible disclosure
1.2 - Why report a vulnerability?
1.3 - Bug Bounty programs
1.4 - Intro to Exploit Platforms
1.5 - Intro About Exploit Bugs on Metasploit Project
1.6 - Intro About Exploit Bug on Exploit Pack
1.7 - Intro to Exploit Platforms
1.7.1 - Intro to the Metasploit Project
1.7.2 - Intro to Exploit Packs
1.8 - Bug Bounty & Report creation
1.9 - About Bug Bounty Programs.
1.10 - About Programs & How To Earn BOunty
1.11 - How To Create Bug Report
1.12 - Final Test & CTF

Tools
1.1 - Hackbar
1.2 - Plug n’ pwn
1.3 - Netsparker
1.4 - WPSCAN
1.5 - SQLMAP
1.6 - Live Header
1.7 - Tamper Data
1.8 - Meltego
Penetration Testing & Network Testing Course 40 hrs.

Module 0x01 - Information Gathering

1.1. Introduction

1.2. OSINT / Search Engines

1.2.1. Organization Web Presence

1.2.2. Finding government contracts

1.2.3. Partners and third parties

1.2.4. Job postings

1.2.5. Financial information

1.2.6. Information Harvesting

[Link]. the Harvester

1.2.7. Cached information

1.3. OSINT / Social Media

1.3.1. People search and investigation

1.3.2. Real-world information gathering against eLSFoo

1.4. Infrastructure information gathering

1.4.1. Domains
[Link]. DNS Enumeration

[Link]. IPs

[Link]. Bing

[Link]. Netblocks & ASs

1.4.2. Netblocks

[Link]. Live hosts

[Link]. Further DNS

1.4.3. Maltego

Module 0x02 – Scanning and Recon

2.1. Introduction

2.1.1. Ports, Protocol, and Services

2.1.2. The Three-Way Handshake

[Link]. Crafting Packets

2.2. Detect Live Hosts and Open Ports

2.2.1. Tools

[Link]. Nmap

[Link].1. SYN Scan

[Link].2. Connect Scan

[Link].3. UDP Scan

[Link].4. Idle Scan

[Link].5. NULL / FIN / Xmas

[Link].6. ACK Scan

[Link].7. IP Scan

[Link].8. Nmap NSE

[Link]. Hping

NETWORK SECURITY

[Link]. Other Tools

2.3. Service and OS Detection

2.3.1. Banner Grabbing

2.3.2. Probing Services

2.3.3. OS Fingerprinting

[Link]. Active OS Fingerprinting

[Link]. Passive OS Fingerprinting

2.4. Firewall/IDS Evasion

2.4.1. Fragmentation

2.4.2. Decoys

2.4.3. Timing

2.4.4. Source Ports

Module 0x03 – Enumeration
3.2. NetBIOS

3.2.1. What is NetBIOS

3.2.2. How NetBIOS works

3.2.3. SMB

3.2.4. NetBIOS Commands and Tools

[Link]. Nbtstat

[Link]. Nbtscan

NETWORK SECURITY

Course Home Page: [Link]/ptp

[Link]. Net Command

[Link]. Smbclient and Mount

[Link]. Null Session

[Link].1. Winfingerprint

[Link].2. Winfo

[Link].3. DumpSec

[Link].4. Enum4Linux

[Link].5. RPCClient

3.3. SNMP

3.3.2. How it works (Agents, MIB, OID)

3.3.3. SNMP Attacks

[Link]. Enumeration

[Link]. Obtaining Community Strings

[Link]. SNMPWalk

[Link]. SMBPSet

[Link]. Nmap SNMP Scripts

Module 0x04 – Sniffing & MITM

4.1. What sniffing means

4.1.1. Why it is Possible

4.2. Sniffing in action

4.2.1. Passive Sniffing

4.2.2. Active Sniffing

[Link]. MAC Flooding

[Link]. ARP Poisoning

4.3. Basic of ARP

4.3.1. Gratuitous ARP

4.3.2. ARP Poisoning

NETWORK SECURITY

NETWORK SECURITY
Course Home Page: [Link]/ptp

[Link]. Host poisoning

[Link]. Gateway poisoning

4.4. Sniffing Tools

4.4.1. Dsniff

4.4.2. Wireshark

4.4.3. TCPDump

4.4.4. WinDump

4.5. Man-in-the-Middle (MITM) Attacks

4.5.1. What they are

4.5.2. ARP Poisoning for MITM

4.5.3. Local to Remote MITM

4.5.4. DHCP Spoofing

4.5.5. MITM in Public Key Exchange

4.5.6. LLMNR and NBT-NS Spoofing/Poisoning

[Link]. Responder/MultiRelay

4.6. Attacking Tools

4.6.1. Ettercap: Sniffing and MITM Attacks

[Link]. SSL Traffic Sniffing

4.6.2. Cain&Abel: Sniffing and MITM Attacks

4.6.3. Macof

4.6.4. Arpspoof

4.6.5. Bettercap

4.7. Intercepting SSL traffic

4.7.1. SSLStrip

4.7.2. HSTS Bypass

Module 0x05 - VULNERABILITY ASSESSMENT &

EXPLOITATION

5. Vulnerability Assessment & Exploitation

5.1. Vulnerability Assessment

5.1.1. Vulnerability Scanners

5.1.2. Nessus

5.2. Low-Hanging Fruits

5.2.1. Weak Password

[Link]. Ncrack

[Link]. Medusa

[Link]. Patator

[Link]. EyeWitness
[Link]. Rsmangler

[Link]. CeWL

[Link]. Mentalist

5.3. Exploitation

5.3.1. Metasploit introduction

5.3.2. Windows Authentication Weaknesses

[Link]. LM/NTLMv1

[Link]. NTLMv2

[Link]. SMB Relay on NTLMv1

[Link]. SMB Relay on NTLMv2

[Link]. Eternal Blue (MS17-010)

5.3.3. Client-Side Exploitation

5.3.4. Remote-Side Exploitation

Module 0x06 - POST EXPLOITATION

6.1. Introduction

6.1.1. Maintaining Access and Clean-up

6.1.2. Permanent Edits

6.2. Privilege Escalation and Maintaining Access

6.2.1. Privilege Escalation

[Link]. Stable

[Link]. Windows Privilege Escalation

[Link].1. Unquoted Service Paths

[Link]. Linux Privilege Escalation

6.2.2. Maintaining Access

[Link]. Password and Hashes

[Link].1. Pass the Hash

[Link].2. Cracking Hashes

[Link].3. Mimi Katz

[Link].4. Windows Credentials Editor

[Link]. Enable RDP Service

[Link]. Backdoor

[Link].1. Persistence

[Link].2. Manual Installation

[Link]. New Users

[Link]. DLL Hijacking/Preloading

6.3. Pillaging

NETWORK SECURITY

6.3.1. Exfiltration over DNS with Iodine (DNS Tunneling)

6.4. Mapping the Internal Network

6.5. Exploitation through Pivoting

Module 0x07 – ANONYMITY
7. Anonymity

7.1. Browsing Anonymously

7.1.1. HTTP Proxies

[Link]. Anonymous proxies

[Link]. Transparent proxies

7.1.2. Tor Network

7.2. Tunneling for Anonymity

7.2.1. SSH Tunneling

Module 0x08 – SOCIAL ENGINEERING

8.1. What is Social Engineering

8.2. Types of Social Engineering

8.2.1. Pretexting

8.2.2. Phishing

8.2.3. Baiting

8.2.4. Physical

8.3. Samples of Social Engineering Attacks

8.3.1. Canadian Lottery

8.3.2. FBI Email

8.3.3. Online Banking

8.4. Pretexting samples

8.5. Tools

8.5.1. Social Engineering Toolkit

Mobile Penetration Testing Course (IOS, Android) 40 hrs
Module 0x01 - Diving into Android
1) Setting up a Mobile Pentest Environment
2) Android Security Architecture
3) Permission Model Flaws
4) Getting familiar with ADB
5) Activity and Package Manager Essentials
6) API level vulnerabilities
7) Rooting for Pen testers Lab
8) Android ART and DVM Insecurities

Module 0x02 - Android App for Security Professionals

1) Security Analysis of [Link]
2) Reverse Engineering for Android Apps
3) Smali for Android 101
4) Smali Labs for Android
5) Cracking and Patching Android apps
6) Understanding Dalvik
7) Dex Analysis and Obfuscation
8) Android Application Hooking
9) Using JDB and Andbug
10) Dynamic Dalvik Instrumentation for App Analysis
11) Introspy for Android
12) Creating custom Hooks
Module 0x03 - Application Specific Vulnerabilities

1) Static Analysis of Android Apps

2) Attack Surfaces for Android applications
3) Exploiting Side Channel Data Leakage
4) Exploiting and identifying vulnerable IPCs
5) Exploiting Backup and Debuggable apps
6) Exploiting Exported Components
7) Webview based vulnerabilities
8) Dynamic Analysis for Android Apps
9) Logging Based Vulnerabilities
10) Insecure Data Storage
11) Network Traffic Interception
12) Analysing Network based weaknesses
13) Exploiting Secure applications
14) Analysing Proguard, DexGuard and other Obfuscation
Techniques
15) OWASP Mobile Top 10
16) Using Drozer for Exploitation
17) Writing custom Modules for Drozer
18) Exploiting Android apps using Frida
19) Analysing Android apps using Androguard
20) Analysing Native Libraries
21) Security Issues in Hybrid Apps

Module 0x04 - ARM for Android Exploitation

1) Getting familiar with Android ARM

2) ARM Architecture and Calling conventions
3) Debugging with GDB
4) Using IDA for Android
5) Exploiting Overflow based vulnerabilities
 6) ROP Labs for Android
7) Use After Free vulns
8) Writing your own reliable exploit
9) Race Condition vulns
10) Hardware Exploitation Techniques
11) Exploit Mitigation and Protections

Module 0x05 - Getting Started with iOS Pentesting

1) iOS security model
2) App Signing, Sandboxing and Provisioning
3) Setting up XCode
4) Changes in iOS 10
5) Exploring the iOS filesystem
6) Intro to Objective-C and Swift

Module 0x06 - Getting Started with iOS Pentesting

1) Jailbreaking your device
2) Cydia, Mobile Substrate
3) Getting started with Damn Vulnerable iOS app
4) Binary analysis
5) Finding shared libraries
6) Checking for PIE, ARC
7) Decrypting ipa files
8) Self signing IPA files
Module 0x07 - Static and Dynamic Analysis of iOS Apps
1) Static Analysis of iOS applications
2) Dumping class information
3) Insecure local data storage
4) Dumping Keychain
5) Finding url schemes
6) Dynamic Analysis of iOS applications
7) Cycript basics
8) Advanced Runtime Manipulation using Cycript
9) Writing patches using Theos
10) Frida for iOS
11) Method Swizzling
12) GDB basic usage
13) GDB kung fu with iOS

Module 0x08 - Exploiting iOS Applications

1) Broken Cryptography
2) Side channel data leakage
3) Sensitive information disclosure
4) Exploiting URL schemes
5) Client side injection
6) Bypassing jailbreak, piracy checks
7) Inspecting Network traffic
8) Traffic interception over HTTP, HTTPs
9) Manipulating network traffic
10) Bypassing SSL pinning
Module 0x09 - Reversing iOS Apps

1) Introduction to Hopper
2) Disassembling methods
3) Modifying assembly instructions
4) Patching App Binary
5) Logify, Introspy, iNalyzer, Snoopit