CAST EC-Council

EC-Council

CAST CENTER FOR ADVANCEDSECURITY TRAINING

Make The Difference

CAST 611Advanced Penetration Testing

CAST EC-Council CAST EC-CouncilCAST EC-Council

The rapidly evolving information security landscape now requires professionals to stay up to date on the latest security technologies, threats and remediation strategies. CAST was created to address the need for quality advanced technical training for information security professionals who aspire to acquire the skill sets required for their job functions. CAST courses are advanced and highly technical training programs co-developed by EC-Council and well-respected industry practitioners or subject matter experts. CAST aims to provide specialized training programs that will cover key information security domains, at an advanced level.

About EC-CouncilCenter of AdvancedSecurity Training(CAST)

CAST EC-Council CAST EC-CouncilCAST EC-Council

The course is ALL Hands-On - 100%.The format is practice the professional security testing methodology for the �rst half of the class.

Once you have practiced this then you will go against a "live" range. The process is as follows:

The sample methodology:

- Information gathering and OSINT- Scanning Building a Target Database- Enumeration- Vulnerability Analysis- Exploitation- Post exploitation- Advanced techniques- Data Analysis- Report

Access the range:

- You will be provided a scope of work- Have 2-3 hours on the range and then be provided a debrief

Advanced Penetration TestingCourse Description

CAST EC-Council CAST EC-CouncilCAST EC-Council

The ranges are progressive and increase in di�culty at each level. There are 3-4 levels to complete then you are ready for the challenge range practical!

Motto:

- So you think you can pen test? PROVE IT!

The course will teach you how to do a professional security test and produce the most important thing from a test ... the �ndings and the report!.

The ranges progresses in di�culty and re�ect an enterprise level architecture. There will be defenses to defeat and challenges to overcome. This is not your typical FLAT network! As the range levels increase you will encounter the top defenses of today and learn the latest evasion techniques.

The format you will use has been used to train 1000s penetration testers globally, it is proven and e�ective!

Practical:

- Three phases- scope of work for each phase.- 6 hours to complete the practical.- save all of the data and build a target database of your �ndings. At completion of the range section.- Two hours for written exam base on ranges – Pass exam- Receive CAST Advanced Penetration Tester Certi�cation

CAST EC-Council CAST EC-Council

Students completing this course will gain in-depth knowledge in the following areas:

CAST EC-Council

01 Advanced Scanning methods

02 Attacking from the Web

03 Client Side Pen-testing

04 Attacking from the LAN

05 Breaking out of Restricted Environments

06 Bypassing Network-Based IDS/IPS

07 Privilege Escalation

08 Post-Exploitation

What Will You Learn?

CAST EC-Council CAST EC-CouncilCAST EC-Council

• Informationsecurityprofessionals• PenetrationTesters• ITmanagers• ITauditors• Government&IntelligenceAgencies

interestedinrealworldattackanddefenseintoday’scomplexandhighlysecureITenvironments

Who Should Attend

CAST EC-Council CAST EC-Council

1. Information gathering and OSINT

CAST EC-Council

Course Outline

• Nslookup

• Dig

• dnsenum

• dnsrecon

• dnsmap

• reverseraider

• EnumerationofDNSwithfierce

• Internetregistrarsandwhois

• EnumerationwiththeHarvester

• ServerSniff

• GoogleHackingDatabase

• metagoofil

• CloudScanningwithShodan

CAST EC-Council CAST EC-CouncilCAST EC-Council

2. Scanning

• ScanningwiththeNmaptool

• Scanforlivesystems

• Scanforopenports

• Identifyservices

• Enumerate

• OutputthescannerresultsinanXMLformatfordispla

• Scanningwithautoscan

• ScanningwithNetifera

• Scanningwithsslscan

• ScanningandScriptingwithHping3

• BuildingaTargetDatabase

RANGE: LiveTargetRangeChallengeLevelOne

CAST EC-Council CAST EC-CouncilCAST EC-Council

3. Enumeration 5. Exploitation

4. Vulnerability Analysis

• EnumeratingTargets

• EnumeratingSNMP

• Usingthenmapscriptingengine

• EnumeratingSMB

• OSFingerprinting

• ExploitSites

• ManualExploitation

• Scanningthetarget

• Identifyingvulnerabilities

• Findingexploitforthevulnerability

• Preparetheexploit

• Exploitthemachine

• ExploitationwithMetasploit

• ScanfromwithinMetsaploit

• Locateanexploit,andattempttoexploitamachine

• ExploitingwithArmitage

• ScanfromwithinArmitage

• ManagingtargetsinArmitage

• ExploitingtargetswithArmitage

• ExploitationwithSET

• SetupSET

• AccesscompromisedwebsiteusingJavaattackvector

• Gainuser-levelaccesstothelatestWindowsmachines

• Performprivilegeescalation

• Gainsystem-levelaccesstothelatestWindowsmachines

• Extractdatawithscraper

• Extractdatawithwinenum

• Analyzethepilfereddata

• Killtheantivirusprotection

• VulnerabilitySites

• VulnerabilityAnalysiswithOpenVAS

• VulnerabilityAnalysiswithNessus

• FirewallsandVulnerabilityScanners

• VulnerabilityAnalysisofWebApplications

• XSS

• CSRF

• SQLInjection

• Others

• VulnerabilityScanningwithW3AF

• VulnerabilityScanningwithWebshag

• VulnerabilityScanningwithSkipfish

• VulnerabilityScanningwithVega

• VulnerabilityScanningwithProxystrike

• VulnerabilityScanningwithOwasp-zap

RANGE: Live Target Range Challenge Level Two

CAST EC-Council CAST EC-CouncilCAST EC-Council

6. Post Exploitation

• Conductlocalassessment

• Conductthescanningmethodologyagainstthemachine

• Identifyvulnerabilities

• Searchforanexploit

• Compiletheexploit

• Attempttoexploitthemachine

• Migratetheexploittoanotherprocess

• Harvestinformationfromanexploitedmachine

• Captureandcrackpasswords

• Copyfilestoandfromanexploitedmachine

RANGE:LiveTargetRangeChallenge Four

CAST EC-Council CAST EC-Council

7. Data Analysis and Reporting

CAST EC-Council

• CompilingDatainMagicTree

• Taketooloutputandstoreitinausable

form

• CompilingDatainDradis

• StoringOpenVASresults

• DevelopingaProfessionalReport

• Identifythecomponentsofareport.

• CoverPage

• TableofContents

• ExecutiveSummary

• HostTable

• Summaryoffindings

• DetailedFindings

• Conclusion

• Appendices

• Reviewingfindingsandcreatingreport

information

• Conductingsystematicanalysis

• Validationandverification

• Severity

• Description

• Analysis/Exposure

• Screenshot

• Recommendation

• Reviewingsamplereports

• Creatingacustomreport

CAST EC-Council CAST EC-CouncilCAST EC-Council

8. Advanced Techniques

• Scanningagainstdefenses

• Routers

• Firewalls

• IPS

• Exploitationthroughdefenses

• Sourceportconfiguration

• DetectingLoadBalancing

• DNS

• HTTP

• DetectingWebApplicationFirewalls

• wafW00f

• EvadingDetection

• Identifyingthethresholdofadevice

• Slowandcontrolledscanning

• Obfuscatedexploitationpayloads

• Exploitwriting

• Writingcustomexploits

• Exploitwritingreferences

CAST EC-Council CAST EC-CouncilCAST EC-Council

Master Trainer:

Kevin Cardwell

Kevin Cardwell served as the leader of a 5 person Red Team that achieved a 100% success rate at compromising systems and networks for six straight years. He has conducted over 500 security assessments across the globe. His expertise is in �nding weaknesses and determining ways clients can mitigate or limit the impact of these weaknesses.

He currently works as a free-lance consultant and provides consulting services for companies throughout the world, and as an advisor to numerous government entities within the US, Middle East, Africa, Asia and the UK . He is an Instructor, Technical Editor and Author for Computer Forensics, and Hacking courses. He is the author of the Center for Advanced Security and Training (CAST) Advanced Network Defense course. He is technical editor of the Learning Tree Course Penetration Testing Techniques and Computer Forensics. He has presented at the Blackhat USA, Hacker Halted, ISSA and TakeDownCon conferences. He has chaired the Cybercrime and Cyberdefense Summit in Oman. He is author of Bactrack: Testing Wireless Network Security. He holds a BS in Computer Science from National University in California and a MS in Software Engineering from the Southern Methodist University (SMU) in Texas. He developed the Strategy and Training Development Plan for the �rst Government CERT in the country of Oman that recently was rated as the top CERT for the Middle East. he serves as a professional training consultant to the Oman Information Technology Authority, and developed the team to man the �rst Commercial Security Operations Center in the country of Oman. He has worked extensively with banks and �nancial institutions throughout the Middle East, Europe and the UK in the planning of a robust and secure architecture and implementing requirements to meet compliance. He currently provides consultancy to Commercial companies, governments, major banks and �nancial institutions in the Gulf region to include the Muscat Securities Market (MSM) and the Central Bank of Oman. Additionally, he provides training and consultancy to the Oman CERT and the SOC team in the monitoring and incident identi�cation of intrusions and incidents within the Gulf region.

CAST EC-Council

EC-Council