2-DAY TRAINING 14 – Hacking Enterprises: Understanding in.security

DURATION: 2 DAYS

CAPACITY: 20 pax

SEATS AVAILABLE: N/A

EUR1899 (early bird)

EUR2599 (normal)

Early bird registration rate ends on the 28th of February

 

Overview

This is an immersive hands-on course that simulates a full-scale enterprise attack scenario. It allows
students to assess the situation at every stage of a complex multi-layered penetration test and
teaches them multiple ways to identify, enumerate, exploit and compromise an organisation.

Students will have access to a cloud-based LAB containing multiple networks, some of which are
hidden. The theory and exercise content reflect real-world encounters rather than text book
challenges and students will complete a vast number of exercises including everything from OSINT
and reconnaissance, to creating and executing phishing campaigns against our in-LAB live bots, all the
way through to post-exploitation, lateral movement and C2 exfiltration.

Each Student Will Receive:
We realise that 2-days is not a lot of time and therefore students are also provided with our hackpack to keep the learning going!

  • 14-day extended LAB access after the course finishes
  • Access to a new LAB subnet and CTF style board with challenges to further test your skills
  • 14-day Slack support channel access where our security consultants are available
  • A Raspberry Pi with Kali Linux pre-installed
  • A portable wireless keyboard/mouse
  • A hard copy of the RTFM

Key Learning Objectives

  • Performing effective OSINT activities
  • Identifying live hosts and services over IPv4 and IPv6
  • IPv4/IPv6 enumeration and exploitation of targets from unauthenticated/authenticated
    perspectives
  • Cracking hashes from a variety of targets including Linux, Windows, DBs and password vaults
  • Performing effective post exploitation attacks, enumeration and data gathering
  • Creating and executing effective phishing campaigns
  • Performing lateral movement and routing traffic to hidden networks
  • Exploiting application weaknesses over tunnels, routed connections and shells
  • Understanding how Active Directory trusts operate, are structed and can be abused
  • Gaining persistence and exfiltrating data via out of band channels
  • Understanding how defensive monitoring can be used to identify malicious activities

Who Should Attend

This training is suited to a variety of students, including:

  • Penetration Testers
  • Security Professionals
  • IT Support, Administrative and Network Personnel
  • Anyone looking to enter the world of technical security

Prerequisite Knowledge

  • Familiarity with Windows and Linux command line syntax
  • A basic understanding of networking concepts

Hardware / Software Requirements

  • Students will need to bring a laptop to which they have administrative/root access, running
    either Windows, Linux or Mac operating systems
  • Students will need to have access to VNC, SSH and OpenVPN clients on their laptops

Agenda – Day 1

Introductions and LAB Overview

  • Overview of the LAB, subnets, challenges and targets
  • Introduction to infrastructure and application security assessments
  • Introduction to monitoring and alerting using our in-LAB ELK stack

Leveraging OSINT Activities

  • Data scraping: Certificate transparency logs, forums, social media, Shodan/Zoomeye, Google
    dorks and publicly disclosed data breaches
  • Extracting document metadata

Enumerating and Targeting IPv4 and IPv6 Hosts

  • IPv4/IPv6 construction and addressing schemes
  • ARP, ICMP, TCP, UDP
  • Identifying local and remote IPv4/IPv6 hosts using tools and manual techniques
  • Port scanning, service enumeration and fingerprinting using nmap and atk6 toolsets
  • Using common tools including dirb, wpscan and Metasploit to target IPv6 hosts
  • Parsing and interpreting scan output

Exposure to Vulnerability Assessment Toolsets

  • Manual and automated approaches to vulnerability identification
  • Options for infrastructure/web
  • Differences in unauthenticated/authenticated scanning
  • Limitations of vulnerability tools vs manual methods

Linux Enumeration

  • Enumerating and targeting application servers
  • Identifying and enumerating services including SSH, IMAP, SMTP, HTTP/S
  • Using Metasploit, nmap scripts and public code

Linux Shells, Post Exploitation and Privilege Escalation (Covered in Days 1 and 2)

  • Exploiting weak file/folder permissions, ownership, SUID, SGID and sudo configurations
  • Hacking non-interactive shells and utilising binary breakouts/GTFOBins
  • Permission misconfigurations
  • Leveraging binary vulnerabilities to escalate privileges
  • Using Metasploit, hydra, ncrack and LinEnum

P@ssw0rd Cracking (Linux)

  • Shadow file construction, hashing and salting (bcrypt, SHAx, MD5)
  • Online/offline attack differences, limitations and tool options
  • Keyspace, attack types and pros/cons of each
  • Utilising hashcat

Windows Enumeration

  • Targeting SMB/LDAP for user enumeration
  • Explaining differences in data enumerated from unauthenticated/authenticated perspectives
  • User enumeration using recent Sensepost research (2018), built-in toolsets and nmap
    scripting

Phishing

  • Phishing campaign infrastructure (domains, SMTP, landing pages)
  • Campaign creation and execution against in-LAB live bots
  • Payload options and attacker motives
  • Gaining access to OWA mailboxes and target hosts on different networks

Agenda – Day 2

Windows Shells, Post Exploitation and Privilege Escalation

  • Authenticated local/network enumeration
  • Local privilege escalation techniques
  • Kerberoasting
  • AMSI considerations and recent bypasses
  • Leveraging PowerView, Metasploit, Unicorn, SharpSploit and GhostPack
  • Extracting LAPS passwords
  • Domain Pass-the-Hash (PtH) and local PtH limitations/workarounds
  • Extracting clear-text passwords, tokens and LSA secrets
  • RDP session hijacking (time dependant)
  • Data exfiltration using PowerShell
  • Leveraging Mimikatz

P@ssw0rd Cracking (Windows)

  • Local and Active Directory storage
  • LM/NTLM/NTLMv1/v2/cached creds/Kerberos
  • Interactive/non-interactive challenge/response processes
  • Further hashcat usage including rules and mask attacks

Defensive Monitoring

  • Introduction to Kibana
  • Investigating events e.g. Windows Defender shutdown, process spawning, task execution and
    associated metadata

Overcoming Restrictions/Policies Within an Active Directory Environment

  • AppLocker policies/configurations, PowerShell enumeration
  • Leveraging publicly disclosed methods/code and tools (GreatSCT)

Situational Awareness, Lateral Movement and Pivoting

  • Network segmentation, routing and ingress/egress controls
  • Locating, enumerating and targeting hosts on different networks
  • Metasploit routing and Meterpreter port forwarding
  • SOCKS proxies and proxychains
  • SSH tunnelling (Windows and Linux) for inter-network routing
  • Targeting hosts using common tools over tunnels
  • Mapping with Bloodhound

Application and Database Enumeration and Exploitation

  • Web application enumeration and vulnerability identification over pivots/tunnels
  • Web browser developer tools and BurpSuite
  • Database structures and enumeration
  • SQL 101 and different types of SQL injection
  • Exploiting recent SQL injection vulnerabilities using manual techniques and sqlmap
  • Database password hash cracking

Abusing domain trusts to compromise the enterprise

  • Understanding Windows domain trusts
  • Enumerating trusted domains using PowerView
  • Leveraging Metasploit and built-in Windows functionality to enumerate target domains
  • Further Mimikatz usage

Gain Persistence & Data Exfiltration Over OOB Channels

  • Persistence mechanisms including registry, services, scheduled tasks, ADS
  • Backdooring hosts to establish out-of-band persistent C2 channels out of an organisation

TRAININGS
Location: Training Rooms Date: May 7, 2019 Time: 9:00 am - 6:00 pm Will Hunt Owen Shearing