Professional Penetration Tester

Summary

Network Penetration Testing and Web App Penetration Testing v2

  • In this course the student will learn to develop to the maximum their capacities as professional pentester
  • The course makes a deep analysis of the phases, methodology and techniques used during a pentest of infrastructure and web
  • The course is oriented 100% to practice and exposes through its frameworks real cases where exploit web vulnerabilities
  • The course material includes access to the academy, support material, exercises, videos and access to laboratories
  • On-line instructors to answer questions and follow-up
  • The laboratories expose real scenarios of working life
  • No limit of access to the academy and its content
  • Periodic updates
  • Downloadable PDF
  • Unlimited access to virtual laboratories

Pre-requisites

PRE-REQUISITES

  • Basic understanding of networking: TCP/IP, Routing, Forwarding, OSI model
  • Reading and understanding C, Python, JAVA, PHP code will help although not mandatory.
  • Basic understanding of HTTP protocol, Cookies, Sessions
  • Understanding of IT Security matters and basics of Penetration Testing
  • No development skills required.
Information

SUMMARY

  • This course offers the professional the means to deepen and acquire a deep knowledge in the pentest area
  • The course covers in depth the field of infrastructure and web pentest, as well as its phases and techniques
  • It includes all the ICPWAP course material and its certification once obtained the ICPP + certification
  • Introduce the professional to the exploiting area
  • At the end of the course there will be a series of exams
Material

MATERIAL

  • +50  Pentest video on Infrastructure
  • +35 Pentest video on Web Applications
  • Online teachers to answer questions and follow-up
  • Multiplatform access to the academy
    Practical exercises and proofs of concept
  • Theoretical and practical final exams to obtain the ICPP+ and ICPWAP certification
  • Private access by VPN 24×7 to all laboratories
This training course is for a

THIS TRAINING  COURSE IS FOR

  • Pentesters
  • IT Professionals
  • Managers / Managers
  • Developers
  • System Administrators
  • Security enthusiasts who want to expand knowledge
  • CERTS
You will be able to

Upon completion of this course you will be able

  • Develop a personalized scope and implement commitment rules for penetration testing projects to ensure that work is focused, well defined and performed safely
  • Learn how to carry out a detailed recognition using documents metadata, search engines and other publicly available information sources to develop a technical and organizational understanding of the target environment
  • Learn methodologies and how to write high-level executive and technical reports
  • Learn about C and Python languages ​​to build our tools and scripts
  • Use Nmap to perform full network scans, port scanning, operating system fingerprints
  • Learn how to correctly execute the Nmap Scripting Engine scripts to extract detailed information from the target systems
  • Configure and deploy Nessus to discover vulnerabilities through authenticated and unauthenticated scans safely
  • Analyze the output of the scanning tools to manually verify the findings and perform a false positive reduction
  • Use the Windows and Linux command lines to loot target systems to obtain vital information that can further improve the progress of penetration tests
  • Set up the Metasploit exploit tool to scan, explode and then pivot through a deep target environment
  • Apply a detailed methodology in your web application penetration tests: recognition, application map, discovery and exploitation
  • How to write modern exploits against the Windows 7/8/10 operating systems
  • How to perform complex attacks such as buffer overflow, analysis, and other advanced topics.
  • Analyze successfully the results of the tools
  • Validate the findings, determine their impact on the business and eliminate false positives
  • Discover and exploit web vulnerabilities manually
  • Discover and exploit TOP10 failures of OWASP 2017 and determine the true risk to the organization
  • Create configurations and use tools to streamline the process
  • Explain the impact for the organization when the operation is successful.
  • Analyze the traffic between the client and the server application
  • Manually discover and exploit cross-site request forgery attacks (CSRF)
  • Perform a full web penetration test on CMS and web applications
Hands-on Training

Real Environment

  • Enumerate Services
  • Gathering
  • Write Exploit
  • Pivoting
  • Flags
  • Web application assessment
  • Misconfiguration
  • Vulnerable Services
  • Common passwords
  • Weak passwords
  • Missing patching

VIRTUAL LABS

The most sophisticated virtual lab on Penetration Testing is now made available to practice as securely and realistically as possible, simulating real situations in the everyday life of a professional pentester. The student will connect via VPN to the remote virtual lab network where vulnerable workstations/servers will be made available for testing.

Corporate & Groups

An annual or personal license to build a continuous learning in iHackLabs with a Supervisor Dashboard for monitoring learner students progress and a discount for volume purchases

Individuals

iHackLabs Certified Professional Penetration Tester

Infrastructure and Write Exploits

Module 1: Introducction to pentesting
Module 2: Review of Concepts
Module 3: Gathering phase
Module 4: Enumeration Phase
Module 5: Exploitation Phase
Module 6: Post-Exploitation Phase
Module 7: Development of Exploits in Windows and Linux
Module 8: Introducction OSINT
Module 1: Introducction to pentesting
    • Basic concepts of a penetration test
    • Types of penetration tests and methodologies
    • Phases of a penetration test
    • Types of reports, presentation and deliverables
Module 2: Review of Concepts
  • OSI model and communication protocols
  • Sockets, introduction and exercises
  • Introduction to C ++. and exercises
  • Introduction to Python and exercises
Module 3: Gathering phase
  • Description of the gathering or collection phase
  • Most used methods and tools
  • Planning and management of information
  • Active and passive collection
  • Discovery of services and banners and evasion of detection systems
  • Videos of use and handling of Gathering tools
  • Use and management of Nmap
Module 4: Enumeration Phase
  • Discovery and enumeration services and banners and evasion of detection systems
  • Most common services and methods of exploitation SMTP, NetBIOS, SMB, X-Windows, etc.
  • Enumeration of Microsoft SQL, MySQL and Oracle databases
  • +15 exercises and practical videos with different tools and methods of the audited services
Module 5: Exploitation Phase
  • Phase more extensive and treated with more depth
  • Most used tools, integration and use
  • Nessus, Nmap, OpenVAS, social engineering, brute force, analysis with Wireshark
  • Concept tests, videos and practical exercises
Module 6: Post-Exploitation Phase
  • Manual penetration test, techniques and tips
  • Review of services, system variables, configuration files and logs
  • Elevation of privileges
    Pivoting and port forwarding techniques
  • We will also see Pivoting techniques and learn to do Port Forwarding
  • Traffic redirection techniques, pass the hash, how to get out of a limited prompt, among others
  • Concept tests, videos and practical exercises
  • Manual penetration test, techniques and tips
  • Introduction to cryptography and algorithm analysis
  • Review of services, system variables, configuration files and logs
  • Attacks on passwords, use of dictionaries
  • Attacks on online services
  • Concept tests, videos and practical exercises
Module 7: Development of Exploits in Windows and Linux
  • Introduction to exploiting, types of exploits
  • X86 architecture, CPU instructions, Battery management
  • Assemblers and Debuggers
  • Record manipulation
  • Location of Buffer Overflows, Fuzzing
  • Shellcoding
  • Exercises and practical videos of Buffer Overflow in Win32 and Linux
Module 8: Introducction OSINT
  • Basic concepts OSINT
  • API, gathering information from social networks
  • Tools

Web Applications

Module 1: Introduction to Pentest Web
Module 2: Gathering Phases
Module 3: Client Side Controls
Module 4: Session Management
Module 5: Injections
Module 6: Backend Services
Module 7: Attacks on Users
Module 8: Web Infrastructure
Module 1: Introduction to Pentest Web
  • Basic concepts of a web penetration test
  • Phases of a web pentest and its development
  • Current context, most used tools and most used work methodologies
  • Fingerprinting, most used frameworks, web architecture and attack methods
  • Concept tests, videos and practical exercises
Module 2: Gathering Phases
  • In this chapter you will see the basic concepts of HTTP methods, authentication types and coding
  • Introduction to Burp Suite management
  • You will see in detail the gathering phase, its terminology and the most used tools
  • Fingerprinting, most used frameworks, web architecture and attack methods
  • Concept tests, videos and practical exercises
Module 3: Client Side Controls
  • Analysis of content that is hidden on the other side of a web application
  • Vulnerabilities from the client side
  • Traffic capture, recognition and subsequent analysis
  • Java serialization, Flash and Silverlight
  • Concept tests, videos and practical exercises
Module 4: Session Management
  • Analysis of content that is hidden on the other side of a web application
  • Vulnerabilities from the client side
  • Traffic capture, recognition and subsequent analysis
  • Java serialization, Flash and Silverlight
  • Concept tests, videos and practical exercises
Module 5: Injections
  • Types of most common injections, detection and prevention
  • Advanced injections in Microsoft SQL, MySQL and Oracle
  • XPath Injections and LDAP Injections
  • Concept tests, videos and practical exercises
Module 6: Backend Services
  • Phase of exploitation of a web penetration test
  • Injections that allow direct interaction with back-end services
  • Injection of system commands, path manipulation, XML injections and how to prevent them
  • Concept tests, videos and practical exercises
Module 7: Attacks on Users
  • Analysis and management of data collected during the previous phases
  • Attacks on systems and evaluation of their security status
  • Detection and prevention of Cross-Site Scripting
  • Cross-Site Scripting: Reflected, Stored and DOM
  • Concept tests, videos and practical exercises
Module 8: Web Infrastructure
  • Attack techniques for application servers
  • Most common vulnerabilities within the infrastructure of a web server
  • Attacks by buffer overflows
  • Concept tests, videos and practical exercises
Menu