On This Page

Bypassing Security Defenses - Secret Penetration Testing Techniques

David Kennedy (ReL1K) - TrustedSec | August 1-2 & 3-4



Overview

Immerse yourself into a fully simulated corporate infrastructure where you need to start from the basics. Everything from open source intelligence and threat modeling all the way down to vulnerability analysis and exploitation. This course will walk you through the leading edge penetration testing techniques and how to effectively circumvent a number of the major security protection mechanisms found in organization. This course is tailored from the most novices all the way to a seasoned professional wanting to learn different techniques. With this course, you will have the foundation, methodologies, and knowledge to understand how attackers can penetrate an organization and further compromise through the entire lifecycle.

Additionally, with each scenario, we will be explaining how to proactively defend against each of the attacks to focus both on the red vs. blue team aspect and ensure appropriate defenses are in place against the types of attacks we use everyday.

This course will cover the following areas:

  • Fully designed and simulated corporate environment that will focus on simulating an external Internet facing organization and students will need to penetrate into the corporate infrastructure and further attack other systems.
  • Fundamental penetration testing concepts and an overview on methodologies and techniques.
  • Building an attack profile against an organization through open-source intelligence.
  • Basics of open-source tools and technologies and understanding attack avenues.
  • Understanding of the Social-Engineer Toolkit (SET) and advanced features.
  • Bypassing security technologies such as whitelisting/blacklisting, anti-virus, next generation firewalls, and other preventative measures.
  • Develop a solid understanding of penetration testing techniques and tricks of the trade.
  • High-level development concepts of Python and basics to programming.
  • Creating your own exploits and tools in Python and utilizing them in attack vectors.
  • An understanding of post exploitation and utilizing different tools and technologies in order to further penetrate a network.

Who Should Take this Course

The course is designed for novice, intermediate or advanced levels. Basic concepts of Linux and maneuvering in Kali Linux is required.

Student Requirements

The student must have a working machine with Kali Linux as well as a Windows machine with Java loaded - we recommend Windows 7 or above fully patched. These can be virtualized and one can be the primary. No anti-virus on the Windows machine (we will need to write bypass payloads first to evade). Ensure connectivity between the two virtual machines and that networking is working properly. VMWare is required for the virtualization, demo/trial versions can be used with VMWare Workstation (Windows) or VMWare Fusion (MAC). We do not recommend VirtualBox as the NAT and Bridging gets challenging when using payload delivery.

What Students Should Bring

A laptop with the student requirements loaded. Note that this will delay you from learning if you do not have Kali Linux and a Windows machine already loaded. We can't hold the class up for individuals that do not have the appropriate software loaded.

What Students Will Be Provided With

Full document containing all the commands and explanations used during the course, code samples, vulnerable applications, electronic copy of the Metasploit: The Penetration Testers Guide book, anti-virus safe payloads, custom tools, and more.

Trainers

David Kennedy (@HackingDave) is founder and principal security consultant of TrustedSec and Co-Founder of Binary Defense Systems. David was the former Chief Security Officer (CSO) for a Fortune 1000 where he ran the entire information security program. Kennedy is a co-author of the book "Metasploit: The Penetration Testers Guide," the creator of the Social-Engineer Toolkit (SET), and Artillery. Kennedy has presented on a number of occasions at Black Hat, Defcon, DerbyCon, ShmooCon, BSIDES, Infosec World, Notacon, AIDE, ISACA, ISSA, RSA, Infragard, Infosec Summit, Hack3rCon and a number of other security-related conferences. Kennedy has been interviewed by several news organizations including CNN, The Katie Couric Show, CNBC, Fox News, Fox Business, Bloomberg, Huffington Post, Neil Cavuto, Special Report with Bret Baier, Anderson Cooper Show, and BBC World News. Kennedy was formally on the Back|Track development team and Exploit-DB team and co-host of the Social-Engineer.org podcast. Kennedy is one of the co-authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. Kennedy is the co-founder of DerbyCon, a large-scale conference in Louisville Kentucky. Prior to Diebold, Kennedy was a VP of Consulting and Partner of a mid-size information security consulting company running the security consulting practice. Prior to the private sector, Kennedy worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.

Adrian Crenshaw (Irongeek) - Adrian is the maintainer of irongeek.com a knowledge-driven website for the pursuit of the betterment of knowledge. Adrian is a senior security consultant at TrustedSec where he specializes in penetration testing.