Overview:

This is an immersive hands-on course that simulates a full-scale enterprise attack scenario. It allows students to assess the situation at every stage of a complex multi-layered penetration test and teaches them multiple ways to identify, enumerate, exploit and compromise an organisation.

Students will have access to a cloud-based LAB containing multiple networks, some of which are hidden. The theory and exercise content reflect real-world encounters rather than text book challenges and students will complete a vast number of exercises including everything from OSINT and reconnaissance, to creating and executing phishing campaigns against our in-LAB live bots, all the way through to post-exploitation, lateral movement and C2 exfiltration.

Swag!

We realise that 4-days is not a lot of time and therefore students are also provided with our hackpack to keep the learning going!

• 14-day extended LAB access after the course finishes
• Access to a new LAB subnet and CTF style board with challenges to further test your skills
• 14-day Slack support channel access where our security consultants are available
• A Raspberry Pi with Kali Linux pre-installed
• A portable wireless keyboard/mouse
• A hard copy of the RTFM

Student Pre-requisites:

• Familiarity with Windows and Linux command line syntax
• A basic understanding of networking concepts

Technical Requirements:

• Students will need to bring a laptop to which they have administrative/root access, running either Windows, Linux or Mac operating systems
• Students will need to have access to VNC, SSH and OpenVPN clients on their laptops

Agenda – Day 1

Introductions and LAB Overview

• Overview of the LAB, subnets, challenges and targets
• Introduction to infrastructure and application security assessments
• Introduction to monitoring and alerting using our in-LAB ELK stack

Leveraging OSINT Activities

• Data scraping: Certificate transparency logs, forums, social media, Shodan/Zoomeye, Google dorks and publicly disclosed data breaches
• Extracting document metadata

Enumerating and Targeting IPv4 and IPv6 Hosts

• IPv4/IPv6 construction and addressing schemes
• ARP, ICMP, TCP, UDP
• Identifying local and remote IPv4/IPv6 hosts using tools and manual techniques
• Port scanning, service enumeration and fingerprinting using nmap and atk6 toolsets
• Using common tools including dirb, wpscan and Metasploit to target IPv6 hosts
• Parsing and interpreting scan output

Exposure to Vulnerability Assessment Toolsets

• Manual and automated approaches to vulnerability identification
• Options for infrastructure/web
• Differences in unauthenticated/authenticated scanning
• Limitations of vulnerability tools vs manual methods

Linux Enumeration

• Enumerating and targeting application servers
• Identifying and enumerating services including SSH, IMAP, SMTP, HTTP/S
• Using Metasploit, nmap scripts and public code

Linux Shells, Post Exploitation and Privilege Escalation (Covered in Days 1 and 2)

• Exploiting weak file/folder permissions, ownership, SUID, SGID and sudo configurations
• Hacking non-interactive shells and utilising binary breakouts/GTFOBins
• Permission misconfigurations
• Leveraging binary vulnerabilities to escalate privileges
• Using Metasploit, hydra, ncrack and LinEnum

Agenda - Day 2

Linux Shells, Post Exploitation and Privilege Escalation (Covered in Days 1 and 2)

• Continued

P@ssw0rd Cracking (Linux)***

• Shadow file construction, hashing and salting (bcrypt, SHAx, MD5)
• Online/offline attack differences, limitations and tool options
• Keyspace, attack types and pros/cons of each
• Utilising hashcat

Windows Enumeration

• Targeting SMB/LDAP for user enumeration
• Explaining differences in data enumerated from unauthenticated/authenticated perspectives
• User enumeration using recent Sensepost research (2018), built-in toolsets and nmap scripting

Phishing

• Phishing campaign infrastructure (domains, SMTP, landing pages)
• Campaign creation and execution against in-LAB live bots
• Payload options and attacker motives
• Gaining access to OWA mailboxes and target hosts on different networks

Agenda - Day 3

Windows Shells, Post Exploitation and Privilege Escalation

• Authenticated local/network enumeration
• Local privilege escalation techniques
• Kerberoasting
• AMSI considerations and recent bypasses
• Leveraging PowerView, Metasploit, Unicorn, SharpSploit and GhostPack
• Extracting LAPS passwords
• Domain Pass-the-Hash (PtH) and local PtH limitations/workarounds
• Extracting clear-text passwords, tokens and LSA secrets
• RDP session hijacking (time dependant)
• Data exfiltration using PowerShell
• Leveraging Mimikatz

P@ssw0rd Cracking (Windows)

• Local and Active Directory storage
• LM/NTLM/NTLMv1/v2/cached creds/Kerberos
• Interactive/non-interactive challenge/response processes
• Further hashcat usage including rules and mask attacks Defensive Monitoring
• Introduction to Kibana
• Investigating events e.g. Windows Defender shutdown, process spawning, task execution and associated metadata Overcoming Restrictions/Policies Within an Active Directory Environment
• AppLocker policies/configurations, PowerShell enumeration
• Leveraging publicly disclosed methods/code and tools (GreatSCT)

Situational Awareness, Lateral Movement and Pivoting (Covered in Days 3 and 4)

• Network segmentation, routing and ingress/egress controls
• Locating, enumerating and targeting hosts on different networks
• Metasploit routing and Meterpreter port forwarding
• SOCKS proxies and proxychains
• SSH tunnelling (Windows and Linux) for inter-network routing
• Targeting hosts using common tools over tunnels
• Mapping with Bloodhound

Agenda - Day 4

Situational Awareness, Lateral Movement and Pivoting (Covered in Days 3 and 4)

• Continued

Application and Database Enumeration and Exploitation***

• Web application enumeration and vulnerability identification over pivots/tunnels
• Web browser developer tools and BurpSuite
• Database structures and enumeration
• SQL 101 and different types of SQL injection
• Exploiting recent SQL injection vulnerabilities using manual techniques and sqlmap
• Database password hash cracking

Abusing domain trusts to compromise the enterprise

• Understanding Windows domain trusts
• Enumerating trusted domains using PowerView
• Leveraging Metasploit and built-in Windows functionality to enumerate target domains
• Further Mimikatz usage

Gaining Persistence & Data Exfiltration Over OOB Channels

• Persistence mechanisms including registry, services, scheduled tasks, ADS
• Backdooring hosts to establish out-of-band persistent C2 channels out of an organisation

BIO:

Owen Shearing

Owen (@rebootuser) is a co-founder of in.security Ltd., a specialist cyber security consultancy offering technical and training services based in the UK. He is a CREST CCT level security consultant with a strong background in networking and IT infrastructure and has over a decade of experience in technical security roles. Owen is experienced in delivering on and offsite consultations and security testing, as well as providing technical training to a variety of audiences at bespoke events and various conferences. He runs the blog https://rebootuser.com and keeps projects at https://github.com/rebootuser .

Will Hunt

Will Hunt (@Stealthsploit) is a cyber security consultant who has worked in IT security for over 10 years. He co-founded in.security Ltd., a specialist cyber security company delivering high-end consultancy and training services. He has delivered infrastructure and web hacking courses at Black Hat USA and EU, as well as training at other bespoke international events and conferences. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer. He runs the blog https://stealthsploit.com .