You are on page 1of 23

eLearnSecurityPenetration Testing Course Pro

v1.1 - 2011

eLearnSecurity

SECTION 1 WEB A P P L I C AT I O N SECURITY TESTING


OVERVIEW
Module 1: Introduction Module 2: Information Gathering Module 3: Vulnerability assessment

www.elearnsecurity.com contactus@elearnsecurity.com

Module 4: Cross site scripting Module 5: SQL Injection Module 6: Advanced Web Attacks

MODULE 1: INTRODUCTION
This module will introduce you to the web application security field and its basic terminology. If youre new to this field you will gather all the skills you need to move to next more advanced modules. If youre already an advanced web application security tester you will get introduced to the methodology and tools followed throughout the course.

Syllabus
1.1 Introduction to Web applications 1.2 1.3 1.4 1.4 1.3 Tools Cookies Session Headers Same-origin

1.2 Terminology

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 2 : I N F O R M AT I O N G AT H E R I N G
Web application Information gathering is a complex and long process. It takes insight, nose and perseverance. You wont become smarter with this module, but you will surely learn the best methodologies to collect and store information about your target. This information will be used at later steps in the exploitation process. At the end of this module you will be able to have so much information about your target that exploiting it will be easy and fun. So easy that you will feel smarter.

Syllabus
2.1. Gathering Information On Target 2.1.1. Finding Owner, IP Addresses And Email Addresses 2.1.1.1. WHOIS tools 2.1.1.2. DNS queries and zone transfers 2.1.1.3. Using Nslookup 2.2. Infrastructure 2.2.1. Fingerprinting The Webserver 2.2.1.1. Fingerprinting Webserver Modules 2.2.1.2. Typical HTTP Services Ports 2.3. Fingerprinting Frameworks And Applications 2.3.1. Fingerprinting Third-Party Add-Ons 2.4. Fingerprinting Custom Applications 2.4.1 Mapping The Attack Surface 2.5. Enumerating Resources 2.5.1. Crawling The Website 2.5.2. Finding Hidden Files 2.5.2.1. Finding Back Up And Source Code Files 2.5.3. Enumerating users accounts with Burp Proxy 2.6. Relevant Information Through Misconfigurations 2.6.1. Directory Listing 2.6.2. Log And Configuration Files 2.7. Google Hacking

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 3 : VULNERABILITY ASSESS MENT


Vulnerability Assessment is the process through which you will uncover all the vulnerabilities in the remote system. This step is absolutely necessary when the remote web server is in the scope of the tests or when the target uses third party web applications. At the end of this module you will master the two most used open source tools, Nessus and Nikto, to perform Vulnerability Assessment against web applications. You will also be capable of customizing Nikto to make it current with the latest vulnerabilities.
1.1 3. Nikto

Syllabus
1. Vulnerability Assessment Vulnerability Assessment vs Penetration testing 2. Assessing vulnerabilities with Nessus 3.1. Creating Nikto modules

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 4 : CROSS SITE SCRIPTING


The most spread web application vulnerability will be dissected and studied in all its parts. At first you will be provided with theoretical explanation. This understanding will help you in the exploitation and remediation process. Later you will master all the techniques to find XSS vulnerabilities through black box testing and within PHP code. Real world exploitation examples will conclude the module: you will finally steal session cookies, modify website DOM and perform advanced phishing attacks.
4.1.1 4.2

Syllabus
4.1. Cross site scripting What it isBasics Anatomy of a XSS exploitation 4.3.1. Reflected XSS 4.3.2. Persistent XSS 4.3.3 4.4 4.5 4.4.1 4.5.1 4.5.2 DOM-based XSS Finding XSS in PHP code XSS, Browsers and same origin policy Real world attacks Cookie stealing through XSS Defacement Advanced phishing attacks Finding XSS XSS Exploitation

4.3. The three types of XSS

4.5.2.1 4.5.2.2 4.5.2.3

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 5 : SQL INJECTION


This module will contain the most advanced techniques to find and exploit SQL Injections. From the explanation of the most basic SQL injection up to the most advanced. Advanced methods will be taught with real world examples and the best tools will be demonstrated on real targets. You will not just be able to dump remote databases but also get root on the remote machine through advanced SQL Injection techniques. Tools will be covered in depth and a taxonomy will help the student to pick the right tool according to the environment and scenario he will face in real engagements.

Syllabus
5.1. Introduction to SQL Injection 5.1.1. How dangerous is a SQL Injection 5.1.2. How SQL Injection works 5.2. How to find SQL Injections 5.2.1. How to find SQL Injections 5.2.2. Finding Blind Sql Injections 5.3. SQL Injection Exploitation 5.3.1. Exploiting INBAND (Union) SQL Injections 5.4. Exploiting Error Based SQL Injection 5.4.1. Dumping database data 5.4.2. Reading remote file system 5.4.3. Accessing the remote network 5.5. Exploiting Blind SQL injection 5.5.1. Optimized Blind SQL injection 5.5.2. Time Based Blind SQL Injection 5.6. Tools 5.6.1. 5.6.2. Sqlmap, BSQL Hacker, Pangolin Tools taxonomy

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 6 : A D VA N C E D W E B AT TA C K S
Sophisticated attacks to web applications are the subject of this module. Session Fixation and CSRF are underestimated and overlooked vulnerabilities. They will be covered in depth. A working exploit will be created step by step to demonstrate a CSRF vulnerability found in a famous CMS. Last but not least you will learn how to audit web 2.0 applications dissecting ajax apis, frameworks and exposed functionalities.

Syllabus
6.1 Introduction 6.2 Session attacks 6.2.1 HTTP Session Fixation 6.2.1.1 Finding HTTP Session Fixation 6.2.1.2 Preventing HTTP Session Fixation 6.3 CSRF 6.3.1 6.3.2 6.3.3 6.4.1 6.4.2 6.5.1 6.5.2 6.5.3 6.5.4 Finding CSRF Exploiting CSRF Preventing CSRF Local File Inclusion Remote File Inclusion How Ajax works Dissecting Ajax APIs Reverse engineering Ajax applications logic Exposed administrative functions

6.4 File inclusion vulnerabilities

6.5 Web 2.0 Attacks 6.5.1.1 Defeating httpOnlyXST & Ajax

www.elearnsecurity.com

www.elearnsecurity.com

eLearnSecurityPenetration Testing Course Pro


v1.1 - 2011

eLearnSecurity

SECTION 2 NETWORK SECURITY TESTING


OVERVIEW
Module 1: Information Gathering Module 2: Scanning Module 3: Enumeration Module 4: Sniffing and MITM attacks Module 5: The Exploitation show Module 6: Anonymity

www.elearnsecurity.com contactus@elearnsecurity.com

MODULE 1: I N F O R M AT I O N G AT H E R I N G
Every penetration test begins with the study of the targets in scope. Our instructor will guide you through the best techniques and tools to collect vital information about your targets. This information will be used in later modules of the course to map the attack surface and establish an exploitation process. How to collect and organize this information is an important aspect in Penetration testing: this will be covered throughout the whole course.

Syllabus
1.1. Introduction to Information Gathering 1.2. Using Whois tools 1.3. DNS queries and zone transfers 1.4. Detecting targets 1.5. Tools 1.5.1. Finding live hosts with Nmap 1.5.2. Harvesting email addresses with Maltego 1.5.3. Finding subdomains with SubDomainer 1.5.4. Bruteforcing dnss with DnsMap 1.5.5. Finding used network protocols with Cain 1.5.6. Finding used network protocols with Wireshark 1.5.7. Finding used network protocols with Arpspoof

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 2: SCANNING
As one of the most important steps in the penetration test of a network, this module will first teach you the theory behind port scanning and service reconnaissance. If youre not into networking, the first chapters of this module will introduce you to the basics of TCP and other network protocols. Brett will then show you how to use the best tools to detect live hosts, open ports and services running on them. Passive and Active OS fingerprinting techniques will also be covered in depth.

Syllabus
2.1. Introduction to Port Scanning 2.1.1. Ports, Protocols, and Services 2.1.2. The Three Way Handshake 2.2. Detecting Live Hosts And Ports 2.2.1. Tools 2.2.1.1. Nmap 2.2.1.2. SuperScan 2.3. Detecting Services 2.3.1. Banner Grabbing 2.3.2. Passive/Active OS fingerprinting 2.3.2.1. Amap 2.3.2.2. UnicornScan 2.3.2.2.1. UnicornScan examples 2.3.2.2.2 P0f

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 3: E N U M E R AT I O N
Scope of this module is to provide you with the techniques professional penetration testers employ to enumerate resources on target. You will be able to explore, enumerate and map the remote network and its available services through a number of different Windows and Unix tools. NetBIOS is the subject of the first part of this module: real world examples will be explained to show the old and the latest techniques and tools to enumerate remote Windows shares and printers. SNMP will be explained in its basic parts and then attacks to the protocols will be shown.

Syllabus
3.1. Enumeration 3.2. NetBios 3.2.1. What is NetBios ? 3.2.2. How NetBios works 3.2.3. NetBios Commands and Tools 3.2.3.1. NetBios Commands and Tools 3.2.3.2. Enumerating Shares & Null Sessions 3.2.3.2.1. NetBIOS Auditing Tool (NAT) 3.2.3.2.2. Winfo 3.2.3.2.3. Winfingerprint 3.2.3.2.4. SID2USER/USER2SID 3.3. SNMP 3.3.1. What it is ( and where its used) 3.3.2. How it works (Agents, NMS, MIB) 3.3.3. SNMP commands 3.3.4. SNMP Attacks 3.3.4.1. Enumeration 3.3.4.2. Cracking community strings 3.3.4.3. Tools 3.3.4.3.1. Snmpwalk 3.3.4.3.2. Snmpenum 3.3.4.3.3. Snmpset 3.3.4.3.4. Snmpbrute 3.3.4.3.5. Onesixtyone
www.elearnsecurity.com

www.elearnsecurity.com

MODULE 4: S N I F F I N G A N D M I T M AT TA C K S
Studying ARP, how it works and how it can be manipulated to mount sophisticated attacks is made extremely easy to understand. Sniffing is a technique that you will be able to fully grasp in its most practical aspects. Theres also some theory behind it that Brett covers before getting into the real world scenarios of sniffing using the best tools available. Man in the middle attacks are one of the most used penetration testing techniques today: you will be able to mount man in the middle attacks within local networks and over the Internet.

Syllabus
4.1. Sniffing basics 4.1.1. Why it is possible 4.2. Sniffing 4.2.1. Passive sniffing 4.2.2. Active sniffing 4.2.2.1. MAC Flooding 4.2.2.2. ARP Poisoning 4.2.2.2.1. Basics of ARP 4.2.2.2.2. Poisoning ARP 4.2.3. Tools 4.2.3.1. Dsniff, Wireshark, Tcpdump, Windump 4.3. Man-In-The-Middle (MITM) attacks 4.3.1. What they are 4.3.2. How ARP works 4.3.3. Arp poisoning for MITM 4.3.4. Local to remote MITM , Arp poisoning 4.3.5. DHCP poisoning 4.3.6. MITM into public key exchange 4.3.7. Tools 4.3.7.1. Ettercap, Cain, Macof, Arspoof, Dnsspoof 4.4. Intercepting SSL traffic 4.4.1. Tools 4.4.1.2. sslstrip & ettercap
www.elearnsecurity.com

www.elearnsecurity.com

MODULE 5: T H E E X P L O I TAT I O N S H O W
Exploiting your target is an extremely practical skill that you will master and enjoy with this module. Like in a movie you will go from assessing remote vulnerabilities to exploiting them using tools like Nessus and Metasploit. Penetration is carried out on real targets.

Syllabus
1 hour Exploitation showvideo

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 6: ANONYMITY
When youre hired as a penetration tester you rarely need to cover your track. However there are times when testing the efficiency of the target organization incident response team is within the scope of your engagement. Covering your track while pentesting will prove your targets ability to detect an intrusion and make you a more specialized penetration tester.

Syllabus
6.1 Browsing anonymously 6.1.1 HTTP Proxies 6.1.1.1 Verifying proxy anonymity 6.1.1.2 HTTP_VIA / HTTP_X_FORWARDED_FOR 6.1.2 Tor Network 6.2 Tunneling for anonymity 6.2.1 SSH Tunneling 6.3 Cleaning traces 6.3.1 Cleaning the event log

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 7: SOCIAL ENGINEERING


Social engineering module will guide you through the most modern social engineering attack techniques. Real world attacks will be illustrated exploiting the potential of social networks such as Facebook, Spokeo or Twitter. Almost 1 hour of video lessons will teach you everything you need to know to master the most important tool in the field: Social Engineering Toolkit.

Syllabus
7.1. What is it? 7.2. Types of Social Engineering 7.2.1. Pretexting 7.2.2. Phishing 7.2.3. Baiting 7.2.4. Physical 7.3. Samples of Social Engineering Attacks 7.3.1. Sample 1: Canadian Lottery 7.3.1. Sample 2: FBI e-mail 7.4. Pretexting Samples 7.4.1. Sample 7.5. Role of Social Networking in Social Engineering 7.5.1. Pipl 7.5.2. Spokeo 7.5. Tools

www.elearnsecurity.com

www.elearnsecurity.com

eLearnSecurityPenetration Testing Course Pro


v1.1 - 2011

eLearnSecurity

SECTION 3 SYSTEM SECURITY

OVERVIEW
Module 1: Introduction Module 2: Cryptography and Password Cracking Module 3: Buffer Overflow Module 4: Shellcoding Module 5: Malware

www.elearnsecurity.com contactus@elearnsecurity.com

Module 6: Rootkit coding

MODULE 1: INTRODUCTION
Our System security instructors, Vipin and Nitin Kumar, will help you set up your box with all the necessary tools required by later modules of this course. Advanced buffer overflow exploitation, shellcoding and rootkit coding will require compilers and assemblers that you will get familiar with in this module.

Syllabus
1.1. Dev-Cpp 1.1.1. Using Dev-Cpp 1.2. Nasm Assembler 1.2.1. Nasm Assembler Introduction 1.2.2. Sample Assembly Language Program 1.3. Windows Driver Development 1.3.1. Sample Driver 1.3.2. Compiling your Driver 1.3.3. Using a Driver 1.3.4. Viewing Driver Output

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 2 : CRYPTOGRA PHY A N D PA S S W O R D C R A C K I N G


Almost all penetration tests engagement require the understanding of cryptographic aspects. This module will ensure that youre current with the most common cryptographic technologies, algorithms and tools. You will also learn how to perform advanced password cracking using the best tools available.

Syllabus
2.1. Introduction 2.2. Classification 2.3. Cryptographic hash function 2.4. Public key infrastructure 2.4.1. X.509 2.4.2. Public Key Certificate 2.5. Pretty Good Privacy (PGP) 2.5.1. Web of Trust 2.5.2. Digital signatures 2.6. Secure Shell ( SSH ) 2.7. Cryptographic Attacks 2.8. Security Pitfalls in Implementing Cryptography systems 2.9. Stealing Windows 2000/XP/2k3/Vista Passwords 2.9.1. LM hash or LAN Manager hash 2.9.2. NT hash 2.9.3. Stealing the hash 2.9.4. Cracking your Windows SAM Database in Seconds with Ophcrack

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 3: BUFFER OVERFLOW


Finding and exploiting buffer overflows is what you will master studying this module. Our instructors main concern was to make this hard topic as easy as possible going from the basics up to the most advanced techniques involved in the exploitation process. A real Windows application will be exploited with step by step explanation.

Syllabus
3.1. Introduction 3.2. The Stack 3.2.1. X86 Stack 3.2.2. Push and Pop Operation 3.2.3. ESP Functionality 3.2.4. Stack Frames 3.2.5. Example 3.3. Buffer Overflows 3.3.1. Gaining control of buffer overflows 3.3.1.1. Example 3.3.2. Steps To Trigger The Buffer Overflow 3.3.3. Triggering the Overflow 3.4. Finding Buffer Overflows 3.4.1. Fuzzing 3.4.2. Identifying A Buffer Overflow After A Crash 3.5. Exploiting a Real-World Buffer Overflow 3.5.1. Example: Owning the FTP Client 3.5.2. Examples

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 4 : SHELLCODING
The art of Shellcoding is made available to anyone through easy to understand samples and real world complex scenarios. A small part of theoretical aspects will introduce the practical examples where you will actually create your own shellcode through the use of compilers and assemblers. Different techniques are shown in order to let you create your own shellcode. Three source code examples are explained line by line.

Syllabus
4.1. Execution Of Shellcode 4.2. Types Of Shellcode 4.2.1. Local Shellcode 4.2.2. Remote Shellcode 4.2.3. Staged Shellcode 4.3. Encoding Of Shellcode 4.3.1. Null free shellcode 4.3.2. Alphanumeric And Printable Shellcode 4.3.3. Percentage Encoding 4.4. Sample 1: Workouts For Writing Shellcodes 4.5. Sleep Shellcode Example 4.6. Writing Universal Shellcode For Windows NT 4.6.1. Resolving References at Runtime 4.6.2. Finding kernel32.dll address 4.6.2.1. Time to Resolve Functions 4.7. Sample 2: OS Independent Sleep Shellcodes 4.8. Sample 3: Privilege Escalation Shellcodes For Windows XP 4.8.1. Setting Up Windows for Debugging etc 4.8.2. The Logic Behind Privilege Escalation 4.8.3. The Driver Architecture 4.8.3.1. Sample Driver Framework Code 4.8.4. Using the Sample

www.elearnsecurity.com

www.elearnsecurity.com

MODULE 5: M A LWA R E
If you thought this was a boring module, get prepared for surprises. A thorough and detailed classification of types of malware is the introduction of a module featuring the most advanced and obscure techniques used by modern malwares. The module is enriched with three malware source codes explained line by line. Three malware source codes will be dissected and explained line by line: a Keylogger, a Trojan and a Virus.

Syllabus
5.1. Classification 5.2. Techniques used by Malware 5.2.1. Streams 5.2.2. Hooking Native Apis / SSDT 5.2.3. Hooking IRP 5.2.4. Hiding a process 5.2.5. API Hooking 5.2.5.1. IAT Hooking 5.2.5.2. EAT Hooking 5.2.5.3. Inline Hooking 5.2.6. Anti-Debugging Methods 5.2.7. Anti-Virtual Machine 5.2.8. Obfuscation 5.2.9. Packers 5.2.10. Polymorphism 5.2.11. Metamorphism 5.2.11.1. Garbage Insertion 5.2.11.2. Register Exchange 5.2.11.3. Permutation Of Code Blocks 5.2.11.4. Insertion Of Jump Instructions 5.2.11.5. Instruction Substitution 5.2.11.6. Code Integration With Host 5.3. How malware spreads?? 3.1. Email Attachments 3.2. Already Infected Files 3.3. Peer-2-peer File Sharing 3.4. Web-sites 3.5. Internet Connection/ Local Network 4. Samples 4.1. Sample 1: Keylogger 4.2. Sample 2: Trojan 4.3. Sample 3: Virus
www.elearnsecurity.com

www.elearnsecurity.com

MODULE 6: ROOTKIT CODING


From the creators of the first Windows 7 BIOS Rootkit, this module will cover the basics and the most important aspects of rootkit coding. A brief classification will introduce you to 3 rootkit source code snippets uncovering the most used techniques used by rootkits. You will be able to understand and code rootkit yourself using the Windows Driver Development Kit and perform advanced covert penetration testing.

Syllabus
6.1 Rootkit Classification 6.2 Sample 1: Making a rootkit which hides a Process 6.3 Sample 2: Controlling File Access 6.4 Sample 3: Hiding Files and Directories

www.elearnsecurity.com

www.elearnsecurity.com

eLearnSecurity
Penetration testing course Professional

Course Details: Online courselearn at your own pace 1600+ interactive slides Learn methodology, be a professional 5 hours of videos 3 authors3 sections DVD Backtrack4 + Labs Silver Certification Qualifies you for 40 CPE

Breaking systems is no more enough. Be a professional.