Академический Документы
Профессиональный Документы
Культура Документы
PTPv3 at a glance:
Self-paced, online, flexible access
4500+ interactive slides and
14+ hours of video material
Five top level authors
Five knowledge domains
In depth coverage of every
technique
Two virtual labs for Network,
System and Web application
security hands-on sessions
Dozens of real world vulnerable
networks and websites
Reporting skills covered in depth
Prepares for eCPPT certification
Prepares for real world
Penetration testing jobs
This training course has been chosen
by students in 120 countries in the
world and by leading organizations
such as:
System security section will provide you with thorough understanding of x86
Architecture and its weaknesses.
- Module 1: Introduction
1. Introduction
1.1. Dev-Cpp
1.1.1. Using Dev-Cpp
1.1.2. C++ Video
1.2. Nasm Assembler
1.2.1. NasmX Assembler Introduction
1.2.2. X86 Stack
1.2.3. PUSH and POP
1.2.4. EBP/ESP functionality
1.3. Immunity Debugger
1.3.1. Sample Driver
1.3.2. Compiling your Driver
1.3.3. Using a Driver
1.3.4. Viewing Driver Output
Cryptography Systems
2.9. Windows Passwords
2.9.1. LM and NT hashes
2.9.2. SAM
2.9.3. Stealing hashes Remote
2.9.4. Stealing hashes Local
2.9.5. Stealing hashes Live host
2.9.6. Stealing hashes Offline
2.9.7. Pass the hash
2.9.8. Cracking the hash
3. Buffer Overflow
3.1. Introduction
3.2. The Stack
3.2.1. X86 Stack Frames Samples
3.3. Buffer Overflows
3.3.1. Gaining control of EIP
3.3.2. Steps to trigger the Overflow
3.4. Finding Buffer Overflows
3.4.1. Fuzzing
3.4.2. Identifying Buffer overflows
after a crash
3.5. Exploiting
real
world
Buffer
Overflows
3.5.1. 32Bit FTP Client exploitation
3.6. ASLR and DEP
3.6.1. ASLR Brute forcing
3.6.2. ASLR NOP Sleds
3.6.3. ASLR Non randomized
memory
3.6.4. DEP
4. Shellcoding
4.1. Execution of Shellcode
4.2. Types of Shellcode
4.3. Shellcode encoding
4.3.1. Null free shellcode
A small part of theoretical aspects will
4.3.2. Alphanumeric shellcode
introduce the practical examples where
4.3.3. Percentage encoding
you will actually create your own
4.4. Sample 1 : Shellcoding framework
shellcode through the use of compilers
4.5. Sleep() Shellcode
and assemblers.
4.6. Writing Universal Shellcode for
Windows
Different techniques are shown in
4.6.1. Finding kernel32.dll address
order to let you create your own
4.6.2. Resolving references at runtime
shellcode.
4.7. Sample 2 : OS Independent
shellcode
Three source code examples are
4.8. Sample 3 : Privilege escalation
explained line by line.
shellcodes
4.8.1. Setting up Windows for
Debugging
4.8.2. The logic behind privilege
escalation
4.8.3. The Driver Architecture
4.8.4. Sample Driver Framework code
for Kernel privilege escalation
Hera Labs are included in this module
5. Malware
5.1. Classification
5.2. Techniques used by Malware
5.2.1. Streams
5.2.2. Hooking SSDT
5.2.3. Hooking IRP
5.2.4. Hiding a process
5.2.5. API Hooking
5.2.5.1.
IAT Hooking
5.2.5.2.
EAT Hooking
5.2.5.3.
Inline Hooking
5.2.6. Anti-Debugging methods
5.2.7. Anti-Virtual machine methods
5.2.8. Obfuscation
5.2.9. Packers
5.2.10. Polymorphism
5.2.11. Metamorphism
5.2.11.1. Garbage Insertion
5.2.11.2. Registers Exchange
5.2.11.3. Permutation
5.3. How malware spreads
5.3.1. Null free shellcode
5.3.2. Alphanumeric shellcode
5.3.3. Percentage encoding
5.4. Real world Samples
5.4.1. Sample 1 : Keylogger
5.4.2. Sample 2 : Trojan
5.4.3. Sample 3 : Virus
6. Rootkits
6.1. Rootkits Classification
6.2. Sample 1 : Hiding a process
6.3. Sample 2 : Controlling File Access
6.4. Sample 3 : Hiding Files
Network security section will deal with the security testing methodology,
techniques and tools for networked PC and devices.
- Module 1: Information Gathering
- Module 2: Scanning
- Module 3: Enumeration
- Module 4: Sniffing and MITM attacks
- Module 5: Exploitation
- Module 6: Post-exploitation
- Module 7: Anonymity
- Module 8: Social Engineering
1. Information Gathering
1.1. Introduction
1.2. OSINT / Search Engines
1.2.1. Organization Web Presence
1.2.2. Finding government contracts
1.2.3. Partners and third parties
1.2.4. Job postings
1.2.5. Financial information
1.2.6. Information Harvesting
1.2.6.1. theHarvester
1.2.6.2. esearchy
1.2.7. Cached information
1.3. OSINT / Social Media
1.3.1. People search and investigation
1.3.2. Real
world
information
gathering against eLSFoo
1.4. Infrastructure information gathering
1.4.1. Domains
1.4.1.1. DNS Enumeration
1.4.1.2. IPs
1.4.1.3. Netblocks & ASs
1.4.2. Netblocks
1.4.2.1. Alive hosts
1.4.2.2. DNS Enumeration
1.5. Tools
1.5.1. DNS Enum
2. Scanning
2.1. Introduction
2.2. Detecting Alive hosts and open Ports
2.2.1. Nmap
2.2.1.1. SYN scan
2.2.1.2. Connect scan
2.2.1.3. UDP scan
If you are not a network expert, the
2.2.1.4. Idle scan
first chapters of this module will
2.2.1.5. NULL / FIN / Xmas
introduce you to the basics of TCP and
2.2.1.6. ACK scan
other network protocols.
2.2.1.7. IP scan
2.2.2. SuperScan
We will then show you how to use the
2.2.2.1. Win Enumeration
best tools to detect live hosts, open
2.2.3. Hping2
ports and services running on them.
2.3. Firewall/IDS evasion techniques
2.3.1. Fragmentation
Through Nmap and Hping2, you will
2.3.2. Decoys
learn how to find zombies to mount
2.3.3. Timing
completely stealth port scans against a
2.3.4. Using source ports
target.
2.4. Detecting services
2.4.1. Banner grabbing
Passive and Active OS fingerprinting
2.4.2. Passive/Active Fingerprinting
techniques will also be covered in
2.5. Other Tools
depth.
2.5.1. Amap
2.5.2. UnicornScan
2.5.3. P0f
Hera Labs are included in this module
As one of the most important steps in
the penetration test of a network, this
module will first teach you the theory
behind port scanning and service
reconnaissance.
3. Enumeration
3.1. Introduction
3.2. NetBIOS
3.2.1. What is NetBIOS
3.2.2. How NetBIOS works
3.2.3. NetBIOS commands and tools
3.2.3.1. NAT
3.2.3.2. Winfo
3.2.3.3. Winfingerprint
3.2.3.4. SID2USER / USER2SID
3.3. SNMP
3.3.1. What it is
3.3.2. How it works (Agents, MIB, OID)
3.3.3. SNMP commands
3.3.4. SNMP Attacks
3.3.4.1. Cracking
community
strings
3.3.4.2. Snmpwalk
3.3.4.3. Snmpenum
3.3.4.4. Snmpset
3.3.4.5. Snmpbrute
3.3.4.6. Onesixtyone
4.2.3.4. Windump
4.3. Man in the middle (MITM) attacks
4.3.1. What they are
4.3.2. ARP Poisoning for MITM
4.3.3. Local to Remote MITM
4.3.4. DHCP Poisoning
4.3.5. MITM in Public Key exchance
4.3.6. How it works (Agents, MIB, OID)
4.3.7. SNMP commands
4.4. Intercepting SSL traffic
4.4.1. SSLStrip & Ettercap
5. VA & Exploitation
5.1. Vulnerability Assessment
5.1.1. Nessus
5.2. Low Hanging Fruits
5.2.1. Cracking network services: SSH,
SMB, VNC, RDP, Telnet, FTP
5.3. Exploitation
5.3.1. Intro to Metasploit
5.3.2. Windows
LM/NTLM/NTLMv2
weaknesses
5.3.3. Metasploit and SET advanced
use : Client Side exploitation
againt Windows and Linux
5.3.4. Metasploit advanced use :
Remote exploitation
6. Post Exploitation
eLearnSecurity experienced instructors
6.1. Introduction to the Methodology
have come up with a proven
6.2. Maintaining access and Privilege
methodology to conduct thorough
escalation
Exploitation of remote internal
6.2.1. Privilege escalation
networks through advanced Post
6.2.1.1. Migration and Getsystem
exploitation techniques.
6.2.1.2. Privilege Escalation on Win
Server 2008 and Windows
Once the student is comfortable with
7
most recent exploitation techniques, he
6.2.2. Maintaining access to the
will be exposed to the cyclic steps of a
compromised machine
successful Post exploitation phase.
6.2.2.1. Crack / Pass the hash
6.2.2.2. Backdoors
This is the phase where criminals
6.2.2.3. RDP / Telnet
ensure stable high privileged access to
6.3. Data Harvesting
the remote network in order to steal
6.3.1. Determining machine role in the
and ex-filtrate documents and
remote network
credentials from the organization.
6.3.2. Harvesting documents
6.3.3. Harvesting stored credentials
Penetration testers must possess the
6.3.4. Harvesting web browsers data
same skill-set and tools in order to test
6.3.5. Keylogging
not only the perimeter security but also
6.4. Mapping the Internal Network
any kind of internal weakness that
6.4.1. ARP Scanning
affects the organization security.
6.4.2. Pivoting
6.4.3. Port scanning internal network
This is a video and hands-on intensive
6.5. Further Pivoted Exploitation
module
6.5.1. Pass the hash
Hera Labs are included in this module
10
7. Anonymity
7.1. Browsing Anonymously
7.1.1. HTTP Proxies
7.1.2. Tor Network
7.2. Tunneling for Anonymity
7.2.1. Creating SSH Tunnels
7.3. Cleaning traces
11
8. Social Engineering
8.1. What is Social Engineering
8.2. Types of Social Engineering
8.2.1. Pretexting
8.2.2. Phishing
8.2.3. Baiting
8.2.4. Physical
8.3. Samples of Social Engineering
attacks
8.3.1. Canadian Lottery
8.3.2. FBI E-mail
8.4. Pretexting samples
8.5. Role of Social Networks in Social
Engineering
8.5.1. Pipl
8.5.2. Spokeo
8.6. Social engineering toolkit (SET)
12
2. Information Gathering
Web application information gathering
2.1. Gathering Information On Target
is a long and complex process.
2.1.1. Finding Owner, IP Addresses
And Email Addresses
It takes insight and perseverance.
2.1.1.1. WHOIS tools
2.1.1.2. DNS queries and zone
You will learn the best methodologies
transfers
to collect and store information about
2.1.1.3. Using Nslookup
your target web assets.
2.2. Infrastructure
2.2.1. Fingerprinting The Webserver
This information will be used at later
2.2.1.1. Fingerprinting
steps in the exploitation process.
Webserver Modules
2.2.1.2. Typical HTTP Services
At the end of this module, you will have
2.3. Fingerprinting Frameworks And
so much information on your target
Applications
that exploiting it will be easy and fun.
2.3.1. Fingerprinting Third-Party AddOns
2.4. Fingerprinting Custom Applications
2.4.1. Mapping The Attack Surface
2.5. Enumerating Resources
2.5.1. Crawling The Website
2.5.2. Finding Hidden Files
2.5.2.1. Finding Back Up And
Source Code Files
2.5.3. Enumerating users accounts
with Burp Proxy
2.6. Relevant
Information
Through
Misconfigurations
2.6.1. Directory Listing
2.6.2. Log And Configuration Files
2.7. Google Hacking
Practice on Coliseum Labs
13
3. Vulnerability Assessment
3.1. Vulnerability Assessment
3.1.1. Vulnerability assessment VS
Penetration testing
3.2. Assessing vulnerabilities with Nessus
3.3. Nikto
3.3.1. Creating Nikto Modules
14
4. XSS
4.1. Cross site scripting
4.1.1. Basics
4.2. Anatomy of a XSS exploitation
4.3. The three types of XSS
4.3.1. Reflected XSS
4.3.2. Persistent XSS
4.3.3. DOM-based XSS
4.4. Finding XSS
4.4.1. Finding XSS in PHP code
4.5. XSS Exploitation
4.5.1. XSS, Browsers and same origin
policy
4.5.2. Real world attacks
4.5.2.1. Cookie stealing through
XSS
4.5.2.2. Defacement
4.5.2.3. Advanced phishing attacks
5. SQL Injection
5.1. Introduction to SQL Injection
5.1.1. Dangers of a SQL Injection
5.1.2. How SQL Injection works
5.2. How to find SQL injections
5.2.1. How to find SQL injections
5.2.2. Finding Blind SQL Injections
5.3. SQL Injection Exploitation
5.3.1. Exploiting Union SQL Injections
5.4. Exploiting Error Based SQL Injections
5.4.1. Dumping database data
5.4.2. Reading remote file system
5.4.3. Accessing the remote network
5.5. Exploiting Blind SQL Injection
5.5.1. Optimized Blind SQL Injections
5.5.2. Time Based SQL Injections
5.6. Tools
5.6.1. SQLmap, BSQL Hacker, Pangolin
5.6.2. Tools taxonomy
15
16
17
1.2.1. Numbers
1.2.1.1. Integer
1.2.1.2. Float
1.2.1.3. Numeric
1.2.1.4. Anticipation
1.2.1.5. Comments
1.2.2. Strings
1.2.2.1. Single or Double quotes?
1.2.2.2. Alternative Ruby Quotes
1.2.2.3. Info about strings
1.2.2.4. Here document notation
1.2.2.5. String arithmetic
1.2.2.6. Interpolation
1.2.2.7. Some useful methods
1.2.3. Arrays
1.2.3.1. Array creation
1.2.3.2. Accessing array elements
1.2.3.3. Multi-typed array
1.2.3.4. Multi-dimensional array
1.2.3.5. Variables and arrays
1.2.3.6. Insertions
1.2.3.7. Deletion
1.2.3.8. Operations between arrays
1.2.3.9. Stack
1.2.3.10. Some useful methods
1.2.3.11. Array and Strings
1.2.4. Ranges & Hashes
1.2.4.1. Ranges (fundamental)
1.2.4.2. Ranges (methods)
1.2.4.3. Ranges and variables
1.2.4.4. Hashes (fundamental)
1.2.4.5. Hashes (methods)
Downloadable scripts are included in this module.
18
2. Control Structures
2.1. Comparison operator
2.2. Conditionals
2.2.1. if
2.2.2. unless
2.2.3. case
2.2.4. Ternary operator
2.3. Loops
2.3.1. while
2.3.2. until
2.3.3. for
2.4. Iterators & Enumerators
2.4.1. Iterators
2.4.2. Enumerable objects
2.4.3. Enumerator
2.4.4. External iterators
2.4.5. Conclusion
2.5. Altering structured control flow
2.5.1. break
2.5.2. next
2.5.3. redo
2.5.4. some consideration
2.6. BEGIN / END
19
20
21
5. Pentesters Prerequisites
5.1. Regular expressions
5.1.1. Basic concepts
5.1.1.1. A quick example
5.1.1.2. Regexp object
5.1.1.3. Regexp modifier
5.1.1.4. Match method
5.1.1.5. Special characters
5.1.2. Regular Expressions Syntax
5.1.2.1. Character classes
5.1.2.2. Sequences
5.1.2.3. Alternatives
5.1.2.4. Groups
5.1.2.5. Repetition
5.1.2.6. Anchors
5.1.2.7. A real world example
5.1.2.8. More about regexp
5.1.3. Regular expressions in the Ruby
5.1.3.1. Global Variables
5.1.3.2. Working with string
5.2. Dates and time
5.2.1. Time class
5.2.1.1. Create a time instance
5.2.1.2. Components of a time
5.2.1.3. Predicates and conversions
5.2.1.4. Arithmetic
5.2.1.5. Comparisons
5.2.1.6. From time to string
6. Input / Output
6.1. File Stream
6.1.1. Reading from a file
6.1.2. Writing to a file
6.2. Working with NMAP Files
6.2.1. Ip extraction
6.2.1.1. Normal format
6.2.1.2. Grepable format
6.2.1.3. XML format
6.2.1.4. All together
6.2.2. Open port extraction
6.2.2.1. Normal format
6.2.2.2. Grepable format
6.2.2.3. XML format
6.2.2.4. All together
6.3. Conclusion
22
23
7.2.1.
7.2.2.
7.2.3.
7.2.4.
7.2.5.
7.2.6.
Kernel exec
Kernel system
Kernel backticks
IO popen
Open3 popen3
All together
24
8. The Web
8.1. Starting point
8.1.1. HTTP Protocol
8.1.2. Ruby's alternatives
8.1.2.1. Using simple socket
8.1.2.2. Net::HTTP library
8.1.2.3. Open-uri library
8.1.2.4. URI object
8.2. Request & Response
8.2.1. Net::HTTP class and instances
8.2.2. GET
8.2.2.1. Net::HTTP get
8.2.2.2. Net::HTTP get_response
8.2.2.3. HTTPResponse object
8.2.2.3.1. Status
8.2.2.3.2. Headers
8.2.2.3.3. Body
8.2.2.3.4. Response object types
8.2.2.4. Parameters
8.2.2.4.1. Url encapsulation
8.2.2.4.2. Dynamic parameters
8.2.2.5. Net::HTTP instances
8.2.2.5.1. Using get Instance
method
8.2.2.5.2. Using Http::Get request
object
8.2.2.5.3. URI and parameters
8.2.2.6. Request Headers
8.2.2.6.1. Using get Instance
method
8.2.2.6.2. Using Http::Get request
object
25
26
10. Metasploit
10.1.Introduction
10.2.ELS Echo Server
10.2.1. The service
10.2.2. The vulnerability
10.2.3. Exploitation with Metasploit
10.3.Architecture and Framework
10.3.1. Architecture
10.3.1.1. A snapshot
10.3.1.2. Files and Folders
10.3.2. Interfaces
10.3.2.1. MSFConsole
10.3.2.2. MSFCli
10.3.2.3. Web interface
10.3.2.4. Others
10.3.3. Libraries
10.3.3.1. Rex
10.3.3.2. Core Library
10.3.3.3. Base Library
10.3.4. Modules
10.3.4.1. Exploits
10.3.4.2. Auxiliary
10.3.4.3. Payloads
10.3.4.4. Nops,Encoders
10.3.4.5. Post
10.3.4.6. The point
10.3.5. Plugins
10.3.6. Tools
10.3.7. Some considerations
10.4.Explore and write the ELS Echo module
10.4.1. Module type and location
10.4.2. Module high level structure
10.4.3. Module Information
10.4.4. The check method
10.4.5. The exploit method
10.4.6. Targets considerations
10.4.7. Conclusion
10.5.Meterpreter scripting
10.5.1. Meterpreter Basic API
10.5.2. Meterpreter scripts
27
The Wi-Fi Security section is an extremely in-depth section covering all the most
important attack techniques used against Wi-Fi networks. The student will learn
the security mechanisms implemented in Wi-Fi architectures as well as their
weaknesses and how to exploit them.
- Module 1: Prerequisites
- Module 2: Environment setup
- Module 3: Wireless Standards and Networks
- Module 4: Discover Wi-Fi Networks
- Module 5: Traffic Analysis
- Module 6: Attacking Wi-Fi Networks
- Module 7: Wi-Fi as attack vector
28
1. Prerequisites
1.1. Software
1.2. Hardware
1.2.1. Antennas
1.2.2. A note on signal strength
1.2.3. Conclusions
29
2. Environment setup
2.1. Introduction
2.1.1. Considerations on Linux drivers
2.2. Adapter configuration
2.2.1. Testing your setup
3.4.1.3. WPA
3.4.1.3.1. Temporal Key Integrity
Protocol
3.4.1.3.2. CCMP/AES
3.4.1.4. WPA2
3.4.2. Authentication
3.4.2.1. Open System
3.4.2.2. Shared Key Authetication
Downloadable scripts are included in this module.
5. Traffic Analysis
5.1. Capturing traffic
5.2. Monitor mode
5.3. Channel Hopping
5.4. Wireshark filters
5.5. Traffic decryption
30
31
32
About eLearnSecurity
A leading innovator in the field of practical, hands-on IT security training.
Based in Pisa (Italy), Dubai (UAE) and in San Jose (USA), eLearnSecurity is a leading
provider of IT security and penetration testing courses including certifications for IT
professionals.
eLearnSecurity's mission is to advance the career of IT security professionals by
providing affordable and comprehensive education and certification. All
eLearnSecurity courses utilize engaging eLearning and the most effective mix of
theory, practice and methodology in IT security - all with real-world lessons that
students can immediately apply to build relevant skills and keep their organization's
data and systems safe.
33