360 Penetration Testing Course

Pen-testers, red teamers, Windows network administrators, security professionals, systems engineers, IT professionals, security consultants and other people responsible for implementing
infrastructure security.

Module 1: Introduction to Penetration Testing

• What is Penetration Testing
• Cyber Kill Chain
• MITRE ATT&CK Matrix
• Testing methodologies
• Reporting

Module 2: Reconnaissance

• Open-Source Intelligence (OSINT)
• Social Media Intelligence (SOCMINT)
• Google hacking and alternative search engines
• Subdomains and DNS enumeration
• Public services enumeration
• Discovering hidden secrets
   

Module 3: Infrastructure penetration testing

• Modern company, systems and solutions
• Determining attack scope
• Discovering services
• Attacking services
• Vulnerable default configurations
   
  

Module 4: Weaponization and delivery

• Generating malicious payloads
• Office Suite macros
• Reverse shells
• Evasion techniques
• Command and Control
• Securing C2 environment
• Building and executing phishing campaigns
• Physical toolkit

Module 5: Exploitation and Installation

• Types of vulnerabilities
• Exploit development
• Bypassing system guards
• Living Off the Land Binaries
• Stealth communication channels

Module 6: Privilege escalation

• Token and privileges
• Attacking services
• Attacking file system
• Accessing system secrets

Module 7: Lateral movement

• Responder
• Pass-The-Hash family attacks
• Bloodhound
• Critical Active Directory misconfigurations
• Lateral movement within AD

Module 8: Introduction to Web Application testing

• Modern Web standards and protocols
• Modern Web languages and libraries
• OWASP TOP 10
• Role of web-proxy
• Work automatization
• Business and logic issues
• Supply chain attacks and vulnerable components
• Chaining security issues
• SSL/TLS issues
• Information disclosures

Module 9: Browser's security mechanisms

• Same Origin Policy
• CORS and other exceptions
• Security headers
• Cookies' and local storage security
• Differences across implementations

Module 10: Cross Site Scripting

• Reflected and Stored Cross Site Scripting
• Attacking Document Object Model
• DOM clobbering
• Bypassing weak CSP
• Dangling markups

Module 11: Injections

• Blacklisting vs whitelisting
• SQL injections
• Command injections
• Header splitting and injection
• Other injection attacks

Module 12: Authentication and Authorization

• Attacks on authentication and authorization
• Attacks on sessions
• Insecure Direct Object Reference (IDOR) attacks
• Default credentials
• JSON Web Tokens
• SAML
• OAuth

Module 13: Insecure file handling

• Path traversal
• Content manipulation
• Insecure file extensions

Module 14: Insecure inclusions

• Local File Inclusion
• Remote File Inclusion

Module 15: Testing API

• OWASP Top 10 for API
• Bypassing API access controls
• Mass assignment attacks

You should have at 3-5 years of experience in cybersecurity to attend this training or have successfully completed one of the following CQURE Academy courses:

•  Introduction to Pentesting Course
•  30 Days to Web Application Pentesting Course

You should have a good understanding of Windows infrastructure security concepts and features. Before attending this course, you should also be familiar with basic hacking tools and Kali Linux.

Author’s unique tools, over 100 pages of exercises and presentations slides with notes.