INTRODUCTION

This course will start from the basic cyber security concepts and will move forward to the phases of a vulnerability assessment and a penetration testing activity. The illustrated steps will mimic those performed during a real-world penetration test, and thus tools and techniques used in the real world for this type of activity will be shown.

OBJECTIVES

You will learn how to gather information about a target, how to discover vulnerabilities in the target and how to rank and weight such vulnerabilities.
You will also learn how to exploit a vulnerability, how to exchange data with the target and how to escalate the privileges on it if exploiting it yielded only privileges of an unprivileged user.
The focus will be on the infrastructure, but you will also learn the most important aspects and techniques to attack a web application and wireless networks.
You will also learn the fundamental tools in the Kali Linux penetration testing distribution.

PREREQUISITES

Very good knowledge of networking, operating systems (especially Linux/Debian), SQL and computer architectures.

COURSE OUTLINE

Introduction

Basic security concepts introduction: CIA, vulnerability, exploit, ethical hacking, CVSS, CVE, possible and common ethical hacking approaches and methodologies like OSSTMM, PTES, NIST 800-115, OWASP, MITRE ATT&CK framework, real world hacking phases, etc.

Setting up the lab

This part details the hardware requirements and explains systematically how to setup an ethical hacking testing lab composed by two VMs: Kali Linux and Metasploitable.
It also provides information on how to initially configure Kali and Metasploitable for their use throughout the course and how to convert the Metasploitable VM (available only in VMware format) to Virtualbox.

Information gathering

In this module, the student will learn about websites and tools to conduct Open Source Intelligence queries about a target and discover as much information as possible about it. He will also learn that most of these queries will be passive and he will not interact directly with the target.

Scanning

This will be the first “active” phase of a penetration test, which is when the student will actually begin contacting the target’s infrastructure looking for deeper and more detailed information, especially about exposed services and applications.
He will learn how to use the famous nmap tool to scan a target to discover reachable services using the most common networking protocols.

Enumeration

In this module, the student will learn how to actually probe the identified target and will start looking for real vulnerabilities.
He will learn some deeper information about vulnerabilities and then he will be ready to learn the world most used vulnerability scanner: Tenable Nessus.
He will learn how to create a scan policy, how to run a scan and how to create a report with the discovered vulnerabilities. This will end the phases relative to a vulnerability assessment and he will be ready to proceed with the penetration testing ones.

Attack introduction

This will be a quick summary of the next steps and introduces the most used attack paths.

Attacks to credentials

Even is the world is very slowly moving to a passwordless future, nowadays we are overwhelmed by tons of passwords that we must remember. Since we are humans, we tend to create passwords that are easy to remember and to reuse them often.
For this reason, the students will learn how to use some of the best tools for password guessing and password cracking.

Attacks to the software

Apart from attacks to the passwords, the attacks to the software are for sure the most widespread ones. The key concepts here are vulnerabilities, exploits and their effectiveness.
The student will learn what exploits and payloads are. He will also learn how to use the Metasploit attack framework to attack a target, how to gain access to it and its data and how to execute privilege escalation attacks that will yield him the possibility to plant a permanent backdoor or delete all logs.

Attacks to the network

These attacks were much more effective when almost no services were encrypted.
Anyway, they are still partially useful because the transition of the services from cleartext to their encrypted counterpart is not over yet and probably will never be.
The student will learn how to sniff traffic and how to perform an ARP poisoning attack to a target to capture its traffic.

Attacks to web applications

The students will learn about the architecture of a modern web application and the most important features of two of the most used tools for testing its security: Burp Proxy and SQLmap.
They will also experiment some of the most common attacks on a vulnerable web application (Mutillidae).

Wireless networks attacks

Students will learn the basics of modern Wireless networks and their standards, their security and insecurity.
They will also learn how to recover passwords for WEP, WPA 1 and 2 networks and for devices implementing the WPS protocol.