EC-Council

CAST

CENTER FOR ADVANCED

SECURITY TRAINING

CAST 611
Advanced Penetration Testing

Make The Difference

CAST

EC-Council

About EC-Council
Center of Advanced
Security Training
(CAST)

CAST

The rapidly evolving information security

landscape now requires professionals to stay up
to date on the latest security technologies,
threats and remediation strategies. CAST was
created to address the need for quality
advanced technical training for information
security professionals who aspire to acquire the
skill sets required for their job functions. CAST
courses are advanced and highly technical
training programs co-developed by EC-Council
and well-respected industry practitioners or
subject matter experts. CAST aims to
provide specialized training programs that will
cover key information security domains, at an
advanced level.

EC-Council

Advanced Penetration Testing

Course Description

The course is ALL Hands-On - 100%.

The format is practice the professional security testing
methodology for the first half of the class.
The sample methodology:
- Information gathering and OSINT
- Scanning Building a Target Database
- Enumeration
- Vulnerability Analysis
- Exploitation
- Post exploitation
- Advanced techniques
- Data Analysis
- Report
Once you have practiced this then you will go against a
"live" range. The process is as follows:
Access the range:
- You will be provided a scope of work
- Have 2-3 hours on the range and then be provided a
debrief

CAST

EC-Council

The ranges are progressive and increase in

difficulty at each level. There are 3-4 levels to
complete then you are ready for the challenge
range practical!
Practical:
- Three phases
- scope of work for each phase.
- 6 hours to complete the practical.
- save all of the data and build a target
database of your findings. At completion of
the range section.
- Two hours for written exam base on ranges
Pass exam
- Receive CAST Advanced Penetration Tester
Certification

Motto:
- So you think you can pen test? PROVE IT!
The course will teach you how to do a
professional security test and produce the
most important thing from a test ... the
findings and the report!.
The ranges progresses in difficulty and reflect
an enterprise level architecture. There will be
defenses to defeat and challenges to
overcome. This is not your typical FLAT
network! As the range levels increase you will
encounter the top defenses of today and learn
the latest evasion techniques.
The format you will use has been used to train
1000s penetration testers globally, it is proven
and effective!

CAST

EC-Council

What Will You Learn?

Students completing this course will gain in-depth knowledge in the following areas:

01

Advanced Scanning methods

02

Attacking from the Web

03

Client Side Pen-testing

04

Attacking from the LAN

05

Breaking out of Restricted Environments

06

Bypassing Network-Based IDS/IPS

07

Privilege Escalation

08

Post-Exploitation

CAST

EC-Council

Who Should Attend

CAST

Information security professionals

Penetration Testers
IT managers
IT auditors
Government & Intelligence Agencies
interested in real world attack and defense
in todays complex and highly secure IT
environments

EC-Council

Course Outline

1. Information gathering and OSINT

CAST

Nslookup

Dig

dnsenum

dnsrecon

dnsmap

reverseraider

Enumeration of DNS with fierce

Internet registrars and whois

Enumeration with theHarvester

ServerSniff

Google Hacking Database

metagoofil

Cloud Scanning with Shodan

EC-Council

2. Scanning

Scanning with the Nmap tool

Scan for live systems

Scan for open ports

Identify services

Enumerate

Output the scanner results in an XML

format for displa

Scanning with autoscan

Scanning with Netifera

Scanning with sslscan

Scanning and Scripting with Hping3

Building a Target Database

RANGE: Live Target Range Challenge Level One

CAST

EC-Council

3. Enumeration

5. Exploitation

Enumerating Targets

Exploit Sites

Enumerating SNMP

Manual Exploitation

Using the nmap scripting engine

Scanning the target

Enumerating SMB

Identifying vulnerabilities

OS Fingerprinting

Finding exploit for the

vulnerability

Prepare the exploit

Exploit the machine

4. Vulnerability Analysis

Vulnerability Sites

Vulnerability Analysis with

OpenVAS

Vulnerability Analysis with Nessus

Firewalls and Vulnerability Scanners

Vulnerability Analysis of Web

Applications

XSS

CSRF

SQL Injection

Others

Exploitation with Metasploit

Scan from within Metsaploit

Locate an exploit, and attempt to

exploit a machine

Exploiting with Armitage

Scan from within Armitage

Managing targets in Armitage

Exploiting targets with Armitage

Exploitation with SET

Setup SET

Access compromised web site

using Java attack vector

Gain user-level access to the latest

Windows machines

Vulnerability Scanning with Vega

Perform privilege escalation

Vulnerability Scanning with

Proxystrike

Gain system-level access to the

latest Windows machines

Vulnerability Scanning with

Owasp-zap

Extract data with scraper

Extract data with winenum

RANGE: Live Target Range Challenge

Level Two

Analyze the pilfered data

Kill the antivirus protection

Vulnerability Scanning with W3AF

Vulnerability Scanning with

Webshag

Vulnerability Scanning with Skipfish

CAST

EC-Council

6. Post Exploitation

Conduct local assessment

Conduct the scanning

methodology against the
machine

Identify vulnerabilities

Search for an exploit

Compile the exploit

Attempt to exploit the machine

Migrate the exploit to another

process

Harvest information from an

exploited machine

Capture and crack passwords

Copy files to and from an

exploited machine

RANGE: Live Target Range Challenge

Four

CAST

EC-Council

7. Data Analysis and Reporting

Compiling Data in MagicTree

Take tool output and store it in a usable

form

Compiling Data in Dradis

Developing a Professional Report

Storing OpenVAS results

Identify the components of a report.

Cover Page

Table of Contents

Executive Summary

Host Table

Summary of findings

Detailed Findings

Conclusion

Appendices

Reviewing findings and creating report

information

CAST

Conducting systematic analysis

Validation and verification

Severity

Description

Analysis/Exposure

Screenshot

Recommendation

Reviewing sample reports

Creating a custom report

EC-Council

8. Advanced Techniques

Scanning against defenses

Routers

Firewalls

IPS

Exploitation through defenses

Detecting Load Balancing

DNS

HTTP

Detecting Web Application Firewalls

CAST

Source port configuration

wafW00f

Evading Detection

Identifying the threshold of a device

Slow and controlled scanning

Obfuscated exploitation payloads

Exploit writing

Writing custom exploits

Exploit writing references

EC-Council

Master Trainer:

Kevin Cardwell

Kevin Cardwell served as the leader of a 5 person Red Team that achieved a 100% success rate at
compromising systems and networks for six straight years. He has conducted over 500 security
assessments across the globe. His expertise is in finding weaknesses and determining ways clients can
mitigate or limit the impact of these weaknesses.
He currently works as a free-lance consultant and provides consulting services for companies throughout
the world, and as an advisor to numerous government entities within the US, Middle East, Africa, Asia and
the UK . He is an Instructor, Technical Editor and Author for Computer Forensics, and Hacking courses. He
is the author of the Center for Advanced Security and Training (CAST) Advanced Network Defense course.
He is technical editor of the Learning Tree Course Penetration Testing Techniques and Computer
Forensics. He has presented at the Blackhat USA, Hacker Halted, ISSA and TakeDownCon conferences. He
has chaired the Cybercrime and Cyberdefense Summit in Oman. He is author of Bactrack: Testing Wireless
Network Security. He holds a BS in Computer Science from National University in California and a MS in
Software Engineering from the Southern Methodist University (SMU) in Texas. He developed the Strategy
and Training Development Plan for the first Government CERT in the country of Oman that recently was
rated as the top CERT for the Middle East. he serves as a professional training consultant to the Oman
Information Technology Authority, and developed the team to man the first Commercial Security
Operations Center in the country of Oman. He has worked extensively with banks and financial
institutions throughout the Middle East, Europe and the UK in the planning of a robust and secure
architecture and implementing requirements to meet compliance. He currently provides consultancy to
Commercial companies, governments, major banks and financial institutions in the Gulf region to include
the Muscat Securities Market (MSM) and the Central Bank of Oman. Additionally, he provides training and
consultancy to the Oman CERT and the SOC team in the monitoring and incident identification of
intrusions and incidents within the Gulf region.

CAST

EC-Council

EC-Council
CAST

EC-Council