On This Page

Tactical Exploitation 4Day

Attack Research | August 1-4


Penetration testing often focuses on individual vulnerabilities and services, but the quickest ways to exploit are often hands on and with unique techniques. This four-day course introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits. The class alternates between lectures and hands-on testing, providing attendees with an opportunity to try the techniques discussed.

In the first half of the course, attendees will come to a new understanding of how to build their own custom malware, using some common and uncommon tool sets. Students will learn how to harness these new found malware authoring concepts for successful exploitation throughout the whole class. The class then moves into unique less known tactics for taking down windows domains regardless of how old or new they are. This section of the class is based heavily upon post exploitation techniques perfected by Attack Research. Students will walk away being able to compromise any windows host regardless if it is the newest OS or not.

In the second half of the course, the focus will shift from compromising Windows based networks to a true production level Unix environment. Attendees will receive in-depth exploitation techniques for becoming root in any Unix environment and abusing these newly found resources for unique lateral movement techniques. Students will learn complete domination of a true production Windows/Unix environment.

Topics Covered:
  • Malware authoring techniques (Malware for Pen Testers)
  • How recon isn't about processes and software
  • Recon techniques for lateral movement
  • Using Windows against itself
  • Privilege Escalation without exploits
  • Evasion techniques
  • Stealth tactics
  • Penetration testing OPSEC
  • Persistence mechanisms
  • Lateral movement options
  • Exploiting Kerberos for profit
  • Tunneling for lateral movement in *nix environments
  • How windows are made and broken with X

Students will test all of the skills they have gained in the course against a virtual network specially designed for the class that represents a large scale enterprise. The labs will be interwoven into the lecture so that students will receive a significant amount of time practically exercising these new skills as they learn. By the end of the class students will have spent 50% of the time in a lab environment.

Who Should Take this Course

This course is well-suited to penetration testers and all security professionals who have a basic grasp of networking and software exploits. This course differs from a typical ethical hacking program in that the focus is on techniques that are not affected by patch levels. A portion of the class will be dedicated to building new tools, on the fly, to solve the challenges posed by a difficult penetration test.

Student Requirements

Student machines must be able to run at least 1 virtual machine utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). Student laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc.

Students must have:
  • A concept of scripting languages such as Python/Perl/Ruby
  • A medium level of systems administration on a Windows or Linux machine

What Students Should Bring

See student requirements section

What Students Will Be Provided With

Students leave the class with full documentation and the entire custom and non-custom toolsets. Students will also take away the custom tools that they design and build in the class. Students walk away from AR training sessions not only with the รข"usual" training materials, but with a wealth of knowledge for both attacking and defending networks.

AR utilizes a very hands on approach to teaching by having the students spend 50% of class time performing practical exercises in a lab environment designed to simulate real world enterprise networks. This type of class structure has been a proven success in retention of skills learned and student engagement. Our unique lab environments are replicas of the types of production networks that students will encounter in the real world.


Russ Gideon (rgideon@attackresearch.com) Russ has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to running effective Red Teams from across the United States government. Russ excels both at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as the Director of Malware Research at Attack Research.

Val Smith (valsmith@attackresearch.com) Val has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on a variety of problems in the security community. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Val founded Attack Research which is devoted to deep understanding of the mechanics of computer attack. Previously Val founded Offensive Computing, a public, open source malware research project.

Colin Ames (amesc@attackresearch.com) Colin is a security researcher with Attack Research LLC where he consults for both the private and public sectors. He's currently focused on Pen testing, Exploit Development, Reverse Engineering, and Malware Analysis.

Dave Sayre (dkerb@attackresearch.com) David has worked in the computer security arena for the past ten years. He has specialized in reverse engineering, malware research, and penetration testing. During the past ten years he has worked with various places including Offensive Computing, a Malware Research Company. He is currently conducting research at Attack Research which is set up to help understand the internals of attacks. Dave has focused on *nix systems and enjoys figuring out how to abuse various trust relations between *nix systems.