EC-Council
CAST CENTER FOR ADVANCED
SECURITY TRAINING
CAST 611
Advanced Penetration Testing
Make The Difference
CAST EC-Council
�About EC-Council
Center of Advanced
Security Training
(CAST) The rapidly evolving information security
landscape now requires professionals to stay up
to date on the latest security technologies,
threats and remediation strategies. CAST was
created to address the need for quality
advanced technical training for information
security professionals who aspire to acquire the
skill sets required for their job functions. CAST
courses are advanced and highly technical
training programs co-developed by EC-Council
and well-respected industry practitioners or
subject matter experts. CAST aims to
provide specialized training programs that will
cover key information security domains, at an
advanced level.
CAST EC-Council
�Advanced Penetration Testing
Course Description
The course is ALL Hands-On - 100%.
The format is practice the professional security testing
methodology for the first half of the class.
The sample methodology:
- Information gathering and OSINT
- Scanning Building a Target Database
- Enumeration
- Vulnerability Analysis
- Exploitation
- Post exploitation
- Advanced techniques
- Data Analysis
- Report
Once you have practiced this then you will go against a
"live" range. The process is as follows:
Access the range:
- You will be provided a scope of work
- Have 2-3 hours on the range and then be provided a
debrief
CAST EC-Council
�The ranges are progressive and increase in Motto:
difficulty at each level. There are 3-4 levels to
- So you think you can pen test? PROVE IT!
complete then you are ready for the challenge
range practical!
The course will teach you how to do a
professional security test and produce the
Practical:
most important thing from a test ... the
- Three phases findings and the report!.
- scope of work for each phase.
- 6 hours to complete the practical. The ranges progresses in difficulty and reflect
- save all of the data and build a target an enterprise level architecture. There will be
database of your findings. At completion of defenses to defeat and challenges to
the range section. overcome. This is not your typical FLAT
- Two hours for written exam base on ranges network! As the range levels increase you will
– Pass exam encounter the top defenses of today and learn
- Receive CAST Advanced Penetration Tester the latest evasion techniques.
Certification
The format you will use has been used to train
1000s penetration testers globally, it is proven
and effective!
CAST EC-Council
� What Will You Learn?
Students completing this course will gain in-depth knowledge in the following areas:
01 Advanced Scanning methods
02 Attacking from the Web
03 Client Side Pen-testing
04 Attacking from the LAN
05 Breaking out of Restricted Environments
06 Bypassing Network-Based IDS/IPS
07 Privilege Escalation
08 Post-Exploitation
CAST EC-Council
� Who Should Attend
• Information security professionals
• Penetration Testers
• IT managers
• IT auditors
• Government & Intelligence Agencies
interested in real world attack and defense
in today’s complex and highly secure IT
environments
CAST EC-Council
� Course Outline
1. Information gathering and OSINT
• Nslookup
• Dig
• dnsenum
• dnsrecon
• dnsmap
• reverseraider
• Enumeration of DNS with fierce
• Internet registrars and whois
• Enumeration with theHarvester
• ServerSniff
• Google Hacking Database
• metagoofil
• Cloud Scanning with Shodan
CAST EC-Council
� 2. Scanning
• Scanning with the Nmap tool
• Scan for live systems
• Scan for open ports
• Identify services
• Enumerate
• Output the scanner results in an XML
format for displa
• Scanning with autoscan
• Scanning with Netifera
• Scanning with sslscan
• Scanning and Scripting with Hping3
• Building a Target Database
RANGE: Live Target Range Challenge Level One
CAST EC-Council
�3. Enumeration 5. Exploitation
• Enumerating Targets • Exploit Sites
• Enumerating SNMP • Manual Exploitation
• Using the nmap scripting engine • Scanning the target
• Enumerating SMB • Identifying vulnerabilities
• OS Fingerprinting • Finding exploit for the
vulnerability
4. Vulnerability Analysis • Prepare the exploit
• Vulnerability Sites • Exploit the machine
• Vulnerability Analysis with • Exploitation with Metasploit
OpenVAS
• Scan from within Metsaploit
• Vulnerability Analysis with Nessus
• Locate an exploit, and attempt to
• Firewalls and Vulnerability Scanners exploit a machine
• Vulnerability Analysis of Web • Exploiting with Armitage
Applications
• Scan from within Armitage
• XSS
• Managing targets in Armitage
• CSRF
• Exploiting targets with Armitage
• SQL Injection
• Exploitation with SET
• Others
• Setup SET
• Vulnerability Scanning with W3AF
• Access compromised web site
• Vulnerability Scanning with using Java attack vector
Webshag
• Gain user-level access to the latest
• Vulnerability Scanning with Skipfish Windows machines
• Vulnerability Scanning with Vega • Perform privilege escalation
• Vulnerability Scanning with • Gain system-level access to the
Proxystrike latest Windows machines
• Vulnerability Scanning with • Extract data with scraper
Owasp-zap
• Extract data with winenum
RANGE: Live Target Range Challenge • Analyze the pilfered data
Level Two
• Kill the antivirus protection
CAST EC-Council
� 6. Post Exploitation
• Conduct local assessment
• Conduct the scanning
methodology against the
machine
• Identify vulnerabilities
• Search for an exploit
• Compile the exploit
• Attempt to exploit the machine
• Migrate the exploit to another
process
• Harvest information from an
exploited machine
• Capture and crack passwords
• Copy files to and from an
exploited machine
RANGE: Live Target Range Challenge
Four
CAST EC-Council
� 7. Data Analysis and Reporting
• Compiling Data in MagicTree
• Take tool output and store it in a usable
form
• Compiling Data in Dradis
• Storing OpenVAS results
• Developing a Professional Report
• Identify the components of a report.
• Cover Page
• Table of Contents
• Executive Summary
• Host Table
• Summary of findings
• Detailed Findings
• Conclusion
• Appendices
• Reviewing findings and creating report
information
• Conducting systematic analysis
• Validation and verification
• Severity
• Description
• Analysis/Exposure
• Screenshot
• Recommendation
• Reviewing sample reports
• Creating a custom report
CAST EC-Council
� 8. Advanced Techniques
• Scanning against defenses
• Routers
• Firewalls
• IPS
• Exploitation through defenses
• Source port configuration
• Detecting Load Balancing
• DNS
• HTTP
• Detecting Web Application Firewalls
• wafW00f
• Evading Detection
• Identifying the threshold of a device
• Slow and controlled scanning
• Obfuscated exploitation payloads
• Exploit writing
• Writing custom exploits
• Exploit writing references
CAST EC-Council
�Master Trainer:
Kevin Cardwell
Kevin Cardwell served as the leader of a 5 person Red Team that achieved a 100% success rate at
compromising systems and networks for six straight years. He has conducted over 500 security
assessments across the globe. His expertise is in finding weaknesses and determining ways clients can
mitigate or limit the impact of these weaknesses.
He currently works as a free-lance consultant and provides consulting services for companies throughout
the world, and as an advisor to numerous government entities within the US, Middle East, Africa, Asia and
the UK . He is an Instructor, Technical Editor and Author for Computer Forensics, and Hacking courses. He
is the author of the Center for Advanced Security and Training (CAST) Advanced Network Defense course.
He is technical editor of the Learning Tree Course Penetration Testing Techniques and Computer
Forensics. He has presented at the Blackhat USA, Hacker Halted, ISSA and TakeDownCon conferences. He
has chaired the Cybercrime and Cyberdefense Summit in Oman. He is author of Bactrack: Testing Wireless
Network Security. He holds a BS in Computer Science from National University in California and a MS in
Software Engineering from the Southern Methodist University (SMU) in Texas. He developed the Strategy
and Training Development Plan for the first Government CERT in the country of Oman that recently was
rated as the top CERT for the Middle East. he serves as a professional training consultant to the Oman
Information Technology Authority, and developed the team to man the first Commercial Security
Operations Center in the country of Oman. He has worked extensively with banks and financial
institutions throughout the Middle East, Europe and the UK in the planning of a robust and secure
architecture and implementing requirements to meet compliance. He currently provides consultancy to
Commercial companies, governments, major banks and financial institutions in the Gulf region to include
the Muscat Securities Market (MSM) and the Central Bank of Oman. Additionally, he provides training and
consultancy to the Oman CERT and the SOC team in the monitoring and incident identification of
intrusions and incidents within the Gulf region.
CAST EC-Council
� EC-Council
CAST EC-Council
