Certified Penetration Testing Engineer

Certified Penetration Testing Engineer | CyberSecurity – MAX Technical Training

The Certified Penetration Testing Engineer course trains students on the 5 key elements of penetration testing: information gathering, scanning, enumeration, exploitation and reporting. Ethical hacking is the art of using these penetration testing techniques to identify and repair the latest vulnerabilities in a system to make sure it is secure. Malicious hackers use these same techniques to find the same vulnerabilities except they exploit the vulnerabilities giving them access to the businesses` network. Once inside, hackers can access private information, such as usernames, passwords, credit card numbers, and social security numbers of clients and employees. It`s very likely this data will be held for ransom or sold off on a black market. Hackers are constantly looking for new companies they can exploit; when they come across yours, will they be able to gain access? Certified Penetration Testing Engineers are the solution to prevent this from happening to businesses they serve.

With our proprietary penetration testing lab exercizes, students will spend about 20 hours getting real-world penetration testing experience. They’ll know what they are learning and they’ll know how to use it after course. Our instructors will also provide real life examples of when to use the techniques that are being taught. There is no better way to learn the art of penetration testing.

This course also enhances the business skills needed to identify protection opportunities, justify testing activities and optimize security controls appropriate to the business needs in order to reduce business risk.

The C)PTE`s foundation is built firmly upon proven, hands-on, penetration testing methodologies utilized by our international group of vulnerability consultants. Mile2 trainers keep abreast of their field by practicing what they teach; we believe that an equal emphasis on theoretical and real world experience is essential for effective knowledge transfer to you, the student.

Upon Completion students will:

• Have knowledge to perform penetration test
• Have knowledge to accurately report on their findings from examinations
• Be ready to sit for the C)PTE Exam

Mile2 is Accredited by the NSA-CNSS, Approved on Homelands Security NICCS Framework, and is on the FBI’s Tier 1-3 Certification Training Chart.

Module 0: Course Introduction

• Courseware Materials
• Course Overview
• Course Objectives
• C)PTE Exam Information
• Learning Aids
• Labs
• Class Prerequisites
• Student Facilities

Module 1: Logistics of Penetration Testing

• Overview
• What is a Penetration Test?
• Benefits of a Penetration Test
• Data Breach Insurance
• CSI Computer Crime Survey
• Recent Attacks & Security Breaches
• What does a Hack cost you?
• Internet Crime Complaint Center
• The Evolving Threat
• Security Vulnerability Life Cycle
• Exploit Timeline
• Zombie Definition
• What is a Botnet?
• How is a Botnet Formed?
• Botnet Statistics
• How are Botnet`s Growing?
• Types of Penetration Testing
• Hacking Methodology
• Methodology for Penetration Testing
• Penetration Testing Methodologies
• Hacker vs. Penetration Tester
• Not Just Tools
• Website Review
• Tool: SecurityNOW! SX
• Seven Management Errors
• Review

Module 2: Linux Fundamentals

• Overview
• Linux History: Linus + Minix = Linux
• The GNU Operating System
• Linux Introduction
• Linux GUI Desktops
• Linux Shell
• Linux Bash Shell
• Recommended Linux Book
• Password & Shadow File Formats
• User Account Management
• Instructor Demonstration
• Changing a user account password
• Configuring Network Interfaces with Linux
• Mounting Drives with Linux
• Tarballs and Zips
• Compiling Programs in Linux
• Why Use Live Linux Boot CDs
• Typical Linux Operating Systems
• Most Popular: BackTrack
• Review

Module 3: Information Gathering

• Overview
• What Information is gathered by the Hacker?
• Organizing Collected Information
• Leo meta-text editor
• Free Mind: Mind mapping
• IHMC CmapTools
• Methods of Obtaining Information
• Physical Access
• Social Access
• Social Engineering Techniques
• Social Networks
• Instant Messengers and Chats
• Digital Access
• Passive vs. Active Reconnaissance
• Footprinting defined
• Maltego
• Maltego GUI
• FireCAT
• Footprinting tools
• Google Hacking
• Google and Query Operators
• SiteDigger
• Job Postings
• Blogs & Forums
• Google Groups / USENET
• Internet Archive: The WayBack Machine
• Domain Name Registration
• WHOIS
• WHOIS Output
• DNS Databases
• Using Nslookup
• Dig for Unix / Linux
• Traceroute Operation
• Traceroute (cont.)
• 3D Traceroute
• Opus online traceroute
• People Search Engines
• Intelius info and Background Check Tool
• EDGAR For USA Company Info
• Company House For British Company Info
• Client Email Reputation
• Web Server Info Tool: Netcraft
• Footprinting Countermeasures
• DOMAINSBYPROXY.COM
• Review

Module 4: Detecting Live System

• Overview
• Introduction to Port Scanning
• Port Scan Tips
• Expected Results
• Popular Port Scanning Tools
• Stealth Online Ping
• NMAP: Is the Host online
• ICMP Disabled?
• NMAP TCP Connect Scan
• TCP Connect Port Scan
• Tool Practice : TCP half-open & Ping Scan
• Half-open Scan
• Firewalled Ports
• NMAP Service Version Detection
• Additional NMAP Scans
• Saving NMAP results
• NMAP UDP Scans
• UDP Port Scan
• Advanced Technique
• Tool: Superscan
• Tool: [email protected]
• Tool: Hping2
• Tool: Hping2
• More Hping2
• Tool: Auto Scan
• OS Fingerprinting: Xprobe2
• Xprobe2 Options
• Xprobe2 –v –T21-500 192.168.XXX.XXX
• Tool: P0f
• Tool Practice: Amap
• Tool: Fragrouter: Fragmenting Probe Packets
• Countermeasures: Scanning
• Review

Module 5: Enumeration

• Enumeration Overview
• Web Server Banners
• Practice: Banner Grabbing with Telnet
• SuperScan 4 Tool: Banner Grabbing
• Sc
• HTTPrint
• SMTP Server Banner
• DNS Enumeration
• Zone Transfers from Windows 2000 DNS
• Backtrack DNS Enumeration
• Countermeasure: DNS Zone Transfers
• SNMP Insecurity
• SNMP Enumeration Tools
• SNMP Enumeration Countermeasures
• Active Directory Enumeration
• LDAPMiner
• AD Enumeration countermeasures
• Null sessions
• Syntax for a Null Session
• Viewing Shares
• Tool: DumpSec
• Tool: Enumeration with Cain and Abel
• NAT Dictionary Attack Tool
• THC-Hydra
• Injecting Abel Service
• Null Session Countermeasures
• Review

Module 6: Vulnerability Assessments

• Overview
• Vulnerabilities in Network Services
• Vulnerabilities in Networks
• Vulnerability Assessment Def
• Vulnerability Assessment Intro
• Testing Overview
• Staying Abreast: Security Alerts
• Vulnerability Research Sites
• Vulnerability Scanners
• Nessus
• Nessus Report
• SAINT – Sample Report
• Tool: Retina
• Qualys Guard
• http://www.qualys.com/products/overview/
• Tool: LANguard
• Microsoft Baseline Analyzer
• MBSA Scan Report
• Dealing with Assessment Results
• Patch Management
• Other Patch Management Options

Module 7: Malware Goes Undercover

• Overview
• Distributing Malware
• Malware Capabilities
• Countermeasure: Monitoring Autostart Methods
• Tool: Netcat
• Netcat Switches
• Netcat as a Listener
• Executable Wrappers
• Benign EXE`s Historically Wrapped with Trojans
• Tool: Restorator
• Tool: Exe Icon
• The Infectious CD-Rom Technique
• Trojan: Backdoor.Zombam.B
• Trojan: JPEG GDI+
• All in One Remote Exploit
• Advanced Trojans: Avoiding Detection
• BPMTK
• Malware Countermeasures
• Gargoyle Investigator
• Spy Sweeper Enterprise
• CM Tool: Port Monitoring Software
• CM Tools: File Protection Software
• CM Tool: Windows File Protection
• CM Tool: Windows Software
• Restriction Policies
• CM Tool: Hardware Malware Detectors
• Countermeasure: User Education

Module 8: Windows Hacking

• Overview
• Password Guessing
• Password Cracking LM/NTLM Hashes
• LM Hash Encryption
• NT Hash Generation
• Syskey Encryption
• Cracking Techniques
• Precomputation Detail
• Creating Rainbow Tables
• Free Rainbow Tables
• NTPASSWD:Hash Insertion Attack
• Password Sniffing
• Windows Authentication Protocols
• Hacking Tool: Kerbsniff & KerbCrack
• Countermeasure: Monitoring Logs
• Hard Disk Security
• Breaking HD Encryption
• Tokens & Smart Cards
• USB Tokens
• Covering Tracks Overview
• Disabling Auditing
• Clearing and Event log
• Hiding Files with NTFS Alternate Data Stream
• NTFS Streams countermeasures
• What is Steganography?
• Steganography Tools
• Shedding Files Left Behind
• Leaving No Local Trace
• Tor: Anonymous Internet Access
• How Tor Works
• TOR + OpenVPN= Janus VM
• Encrypted Tunnel Notes:
• Hacking Tool: RootKit
• Windows RootKit Countermeasures

Module 9: Hacking UNIX/Linux

• Overview
• Introduction
• File System Structure
• Kernel
• Processes
• Starting and Stopping Processes
• Interacting with Processes
• Command Assistance
• Interacting with Processes
• Accounts and Groups
• Password & Shadow File Formats
• Accounts and Groups
• Linux and UNIX Permissions
• Set UID Programs
• Trust Relationships
• Logs and Auditing
• Common Network Services
• Remote Access Attacks
• Brute-Force Attacks
• Brute-Force Countermeasures
• X Window System
• X Insecurities Countermeasures
• Network File System (NFS)
• NFS Countermeasures
• Passwords and Encryption
• Password Cracking Tools
• Salting
• Symbolic Link
• Symlink Countermeasure
• Core File Manipulation
• Shared Libraries
• Kernel Flaws
• File and Directory Permissions
• SUID Files Countermeasure
• File and Directory Permissions
• World-Writable Files Countermeasure
• Clearing the Log Files
• Rootkits
• Rootkit Countermeasures
• Review

Module 10: Advanced Exploitation Techniques

• Overview
• How Do Exploits Work?
• Format String
• Race Conditions
• Memory Organization
• Buffer OverFlows
• Buffer Overflow Definition
• Overflow Illustration
• How Buffers and Stacks Are
• Supposed to Work
• Stack Function
• How a Buffer Overflow Works
• Buffer Overflows
• Heap Overflows
• Heap Spraying
• Prevention
• Security Code Reviews
• Stages of Exploit Development
• Shellcode Development
• The Metasploit Project
• The Metasploit Framework
• Meterpreter
• Fuzzers
• SaintExploit at a Glance
• SaintExploit Interface
• Core Impact Overview
• Review

Module 11: Pen Testing Wireless Networks

• Overview
• Standards Comparison
• SSID (Service Set Identity)
• MAC Filtering
• Wired Equivalent Privacy
• Weak IV Packets
• WEP Weaknesses
• XOR – Encryption Basics
• How WPA improves on WEP
• TKIP
• The WPA MIC Vulnerability
• 802.11i - WPA2
• WPA and WPA2 Mode Types
• WPA-PSK Encryption
• LEAP
• LEAP Weaknesses
• NetStumbler
• Tool: Kismet
• Tool: Aircrack-ng Suite
• Tool: Airodump-ng
• Tool: Aireplay
• DOS: Deauth/disassociate attack
• Tool: Aircrack-ng
• Attacking WEP
• Attacking WPA
• coWPAtty
• Exploiting Cisco LEAP
• asleap
• WiFiZoo
• Wesside-ng
• Typical Wired/Wireless Network
• 802.1X: EAP Types
• EAP Advantages/Disadvantages
• EAP/TLS Deployment
• New Age Protection
• Aruba – Wireless Intrusion Detection and Prevention
• RAPIDS Rogue AP Detection
• Review

Module 12: Networks, Sniffing, IDS

• Overview
• Example Packet Sniffers
• Tool: Pcap & WinPcap
• Tool: Wireshark
• TCP Stream Re-assembling
• Tool: Packetyzer
• tcpdump & windump
• Tool: OmniPeek
• Sniffer Detection Using Cain & Abel
• Active Sniffing Methods
• Switch Table Flooding
• ARP Cache Poisoning
• ARP Normal Operation
• ARP Cache Poisoning Tool
• Countermeasures
• Tool: Cain and Abel
• Ettercap
• Linux Tool Set: Dsniff Suite
• Dsniff Operation
• MailSnarf, MsgSnarf, FileSnarf
• What is DNS spoofing?
• Tools: DNS Spoofing
• Session Hijacking
• Breaking SSL Traffic
• Tool: Breaking SSL Traffic
• Tool: Cain and Abel
• Voice over IP (VoIP)
• Intercepting VoIP
• Intercepting RDP
• Cracking RDP Encryption
• Routing Protocols Analysis
• Countermeasures for Sniffing
• Countermeasures for Sniffing
• Evading The Firewall and IDS
• Evasive Techniques
• Firewall – Normal Operation
• Evasive Technique -Example
• Evading With Encrypted Tunnels
• Newer Firewall Capabilities
• ‘New Age` Protection
• Networking Device – Bastion Host
• Spyware Prevention System (SPS)
• Intrusion ‘SecureHost` Overview
• Intrusion Prevention Overview
• Review

Module 13: Injecting the Database

• Overview
• Vulnerabilities & Common Attacks
• SQL Injection
• Impacts of SQL Injection
• Why SQL “Injection”?
• SQL Injection: Enumeration
• SQL Extended Stored Procedures
• Direct Attacks
• SQL Connection Properties
• Attacking Database Servers
• Obtaining Sensitive Information
• Hacking Tool: SQLScan
• Hacking Tool: osql.exe
• Hacking Tool: Query Analyzers
• Hacking Tool: SQLExec
• www.petefinnegan.com
• Hacking Tool: Metasploit
• Finding & Fixing SQL Injection
• Hardening Databases
• Review

Module 14: Attacking Web Technologies

• Overview
• Web Server Market Share
• Common Web Application Threats
• Progression of a Professional Hacker
• Anatomy of a Web Application Attack
• Web Applications Components
• Web Application Penetration Methodologies
• URL Mappings to Web Applications
• Query String
• Changing URL Login Parameters
• Cross-Site Scripting (XSS)
• Injection Flaws
• Unvalidated Input
• Unvalidated Input Illustrated
• Impacts of Unvalidated Input
• Finding & Fixing Un-validated Input
• Attacks Against IIS
• Unicode
• IIS Directory Traversal
• IIS Logs
• Other Unicode Exploitations
• N-Stalker Scanner 2009
• NTOSpider
• HTTrack Website Copier
• Wikto Web Assessment Tool
• SiteDigger v3.0
• Paros Proxy
• Burp Proxy
• Brutus
• Dictionary Maker
• Cookies
• Acunetix Web Scanner
• Samurai Web Testing Framework

Module 15: Project Documentation

• Overview
• Additional Items
• The Report
• Report Criteria:
• Supporting Documentation
• Analyzing Risk
• Report Results Matrix
• Findings Matrix
• Delivering the Report
• Stating Fact
• Recommendations
• Executive Summary
• Technical Report
• Report Table Of Contents
• Summary Of Security Weaknesses Identified
• Scope of Testing
• Summary Recommendations
• Summary Observations
• Detailed Findings
• Strategic and Tactical Directives
• Statement of Responsibility / Appendices
• Review

Module 1 Lab – Getting Set UP

• Naming and subnet assignments
• Discovering your class share
• VM Image Preparation
• Discovering the Student Materials
• PDF Penetration Testing Methodology

Module 2 Lab – Linux Fundamentals

• Ifconfig
• Mounting a USB Thumb Drive
• Mount a Windows partition
• VNC Server
• Preinstalled tools in BackTrack 5

Module 3 Lab – Information Gathering

• Google Queries
• Footprinting Tools
• Getting everything you need with Maltego
• Using Firefox for Pen Testing
• Documentation of the assigned tasks

Module 4 Lab – Detecting Live Systems

• [email protected]
• Zenmap
• Zenmap in BackTrack 5
• NMAP Command Line
• Hping2
• Unicornscan
• Documentation of the assigned tasks

Module 5 Lab – Reconnaissance

• Banner Grabbing
• Zone Transfers
• SNMP Enumeration
• LDAP Enumeration
• Null Sessions
• SMB Enumeration
• SMTP Enumeration
• Documentation of the assigned tasks

Module 6 Lab – Vulnerability Assessment

• Run Nessus for Windows
• Run Saint
• Documentation of the assigned tasks

Module 7 Lab – Malware

• Netcat (Basics of Backdoor Tools)
• Exploiting and Pivoting our Attack
• Creating a Trojan
• Documentation of the assigned tasks

Module 8 Lab – Windows Hacking

• Cracking a Windows Password with Linux
• Covering your tracks via Audit Logs
• Stegonagraphy
• Understanding Rootkits
• Cracking a Windows Password with Cain
• Windows 7 Client Side Exploit (Browser)
• Windows 2008 SMBv2 Exploit
• Documentation of the assigned tasks

Module 9 Lab – Hacking UNIX/Linux

• Setup and Recon – Do you remember how?
• Making use of a poorly configured service
• Cracking a Linux password
• Creating a backdoor and covering our tracks
• Documentation of the assigned tasks

Module 10 Lab – Advanced Exploitation Techniques

• Metasploit Command Line
• Metasploit Web Interface
• Exploit-DB.com
• Saint
• Documentation

Module 11 Lab – Attacking Wireless Networks

• War Driving Lab
• WEP Cracking Lab (classroom only)
• Documentation

Module 12 Lab – Networks, Sniffing and IDS

• Capture FTP Traffic
• ARP Cache Poisoning Basics
• ARP Cache Poisoning - RDP
• Documentation

Module 13 Lab – Database Hacking

• Hacme Bank – Login Bypass
• Hacme Bank – Verbose Table Modification
• Hacme Books – Denial of Service
• Hacme Books – Data Tampering
• Documentation of the assigned tasks

Module 14 Lab: Hacking Web Applications

• Input Manipulation
• Shoveling a Shell
• Hacme Bank – Horizontal Privilege Escalation
• Hacme Bank – Vertical Privilege Escalation
• Hacme Bank – Cross Site Scripting
• Documentation of the assigned tasks

A5 Lab: Cryptography

• Caesar Encryption
• RC4 Encryption
• IPSec Deployment

Post-Class Lab: CORE IMPACT

• CORE IMPACT Exercise

A minimum of 12 months experience in:

• Networking Technologies
• Sound knowledge of TCP/IP
• Knowledge of Microsoft packages
• Network+
• Microsoft
• Security+
• Basic Knowledge of Linux is essential
• C)VA/C)PEH or equivalent knowledge

The C)PTE is a course on penetration testing designed for those who already have a basic understanding of cyber security. We recommend an understanding of how computers are networked and how they interact with the internet (TCP/IP). Some of the tools we will use are only developed for Linux; therefor having experience with Linux is a plus. We recommend having the previously mentioned experience or you can prepare to take the course by completing the C)ISSO: Certified Information Systems Officer course as a prerequisite. People who are in or are going into the following professional roles will especially benefit from our course:

• Penetration Testing Consultant
• Security Analyst/Consultant
• Security Architect
• Chief Information Security Officer
• Security Auditor
• IT Management
• Ethical Hackers
• Security Consultants
• System Administrators
• Chief Security Officers