VIRTUAL HACKING LABS

PENETRATION TESTING
COURSEWARE SAMPLE

WWW.VIRTUALHACKINGLABS.COM
INTRODUCTION

ABOUT US
The Virtual Hacking Labs is an InfoSec e-learning company focusing on practical penetration testing
training solutions. We believe that the most effective and efficient learning approach is to combine
practical scenario based training with easy to understand courseware. To fulfil this learning experience
we have created a full virtual penetration testing environment called: The Virtual Hacking Labs.

Our mission is to create the best Virtual Hacking Labs
and training materials at an affordable rate for as
much (aspiring) information security professionals
as possible. The Virtual Hacking Labs want to provide
continuously updated labs and courseware that can
be used to maintain knowledge and skill levels that
are expected from IT security professionals. We also
want to make practical training available for anyone
aspiring a job as ethical hacker or penetration tester.
For this reason our courseware starts from the basics
and gradually increases difficulty by covering more
advanced subjects.
that are vulnerable to Remote Code Execution, SQL
injection, Local File Inclusion, Remote File inclusion
and many more vulnerabilities. After getting an initial
command line shell on an exploited target, you will
have the opportunity to practice privilege escalation
techniques that are used to upgrade the current shell
with administrator priviliges.
LAB ACCESS
Access to the Virtual Hacking Labs is provided through
a VPN client which connects you to the network as if it
is a real company network. We provide several popular
pre-configured penetration testing distributions such
as Kali Linux and Parrot Security OS. Installing the
penetration testing distribution of your choice is very
easy and usually consists of a few clicks.

VULNERABLE HOSTS
In the labs you will learn how to compromise both
Windows and Linux hosts running webservers, mail
servers, development tools and many more services
and protocols. You will also encounter network devices
PENETRATION TESTING LAB like virtual firewalls, routers and NAS systems commonly
The Virtual Hacking Labs is a penetration testing lab used in both personal and enterprise settings. Every
accompanied with extensive courseware covering the system is configured to contribute to a specific learning
most important subjects in the field of penetration experience using one or more attack vectors.
testing. The Virtual Hacking Labs contain many real
world scenarios that allow you to learn and practice
penetration testing in a safe environment. Many of
these scenarios can be found at a lot of company IT
environments and contain devices such as: Domain
Controllers, Firewalls, Linux and Windows servers,
NAS, Android devices and of course Windows and
Linux clients. All devices and machines in the labs are
configured to be intentionally vulnerable and can be
exploited in one or more ways.

The courseware that is included with every access

pass covers all phases of penetration testing, from
enumeration to exploitation. By enumerating the lab
machines you will learn how to gather information that
can be used for vulnerability assessments and finally to We are keeping the labs up-to-date with new machines
exploit the machines. In the labs you will learn how to and recently discovered vulnerabilities with high impact
enumerate and exploit protocols such has FTP, SNMP & on a monthly basis. This is how we want to keep your
SMB. You will also learn how to exploit web applications knowledge and experience up-to-date.
 Do you prefer a full black box approach and root all
TRAINING MATERIALS machines on your own or do you prefer a balance
Along with the lab access we provide all the written between theoretical and practical part of the course
courseware and documentation that is needed to learn with some help along the way?
penetration testing and be successful in the labs. We are
keeping the training material up-to-date continuously
to make sure you will learn the latest insights and
techniques in the field of ethical hacking.

The courseware is written in a way that is easily

understandable for anyone new in the field of
penetration testing. We start with the very basics of
penetration testing and gradually increase the difficulty
by covering more advanced subjects.

RESET PANEL
The Virtual Hacking Labs reset panel can be used to
reset hosts in the lab network back to their original state.
Resetting a host is particularly useful when a host is left
in a state where it is not vulnerable anymore. Resetting
the host will give you a fresh start on the machine.
Every student is allowed to reset hosts in the lab every
15 minutes through the reset panel. This guarantees
an effective learning experience as designed without
delays.
The hints are not direct solutions for the lab machines
STUDENT PANEL but they contain enough information to push you in
All students have access to a dedicated student panel the right direction. To keep the Virtual Hacking Labs
that can be used to track your course and lab progress. challenging for everyone we only provide hints for the
This panel also provides information about the lab Beginner and Advanced machines. The Advanced+
machines, including hints for anyone that’s stuck at hosts are the final challenge and are excluded from
a specific box. This way you can choose what your hints.
learning path will look like.
CERTIFICATE OF COMPLETION
For those who managed to get root/administrator
access on at least 20 lab machines can request a
certificate of completion. This trophy consists of a PDF
certificate with your name and a set of badges to use
for social media such as LinkedIn. The VHL Certificate
of Completion is included at no additional cost with a
month pass and greater.
To be eligible for the VHL Certificate of Completion you
need to:
1. Get root/administrator access on at least 20 lab
machines.
2. Supply documentation of the exploited vulnerabilities.
3. Supply screenshots proving that you rooted the lab
machines.
4. Supply the contents of key.txt files from the rooted
lab machines.
The documentation should at least contain information
about the exploited vulnerabilities, such as the CVE
ID’s, used exploits and screenshots of the exploitation
process. The screenshots should contain at least the
following information: Lab machine IP, your IP and the
used commands (command line, URL’s, requests etc.).
For privilege escalation also include screenshots with
the output of the id/whoami/getuid command before
and after executing the exploit.
After submitting the documentation we will manually
verify the information and check the authenticity of the
screenshots. Be sure to include your student ID and full
name to display on the Certificate of Completion in the
documentation. Also use the e-mail address you have
signed up with to the Virtual Hacking Labs. When the
supplied documentation and screenshots have been
approved we will send the Certificate of Completion as
soon as possible.
Completing the penetration testing course
may qualify you for 40 (ISC)² CPE and EC Council
credit hours. The Certificate of Completion can
be used as proof for completing the course.
PRICING
Access passes includes all access to our labs, online
courseware, courseware e-book and a certificate of
completion. Except for the week pass which does not
include the certificate and the e-book version of the
courseware.
1 week access $49 €46
1 month access $99 €93
3 month access $249 €233
6 month access $449 €419
1 year access $749 €699
COURSE TABLE OF CONTENTS

1. PENETRATION TESTING BASICS 6. PRIVILEGE ESCALATION

1. Intro 1. Intro
2. About Penetration testing 2. Privilege escalation on Linux
3. The Penetration process explained 3. Privilege escalation on Windows
4. Jobs and professional opportunities
7. WEB APPLICATIONS
2. ACCESSING THE LABS 1. Intro
1. Intro 2. Local and Remote File Inclusion (LFI/RFI)
2. Installing Kali Linux 3. Remote Code Execution
3. VPN Access 4. Remote Command Execution
4. Reset panel 5. SQL Injection Basics
5. Rules & Restrictions 6. Web shells
6. Legal 7. File Upload Vulnerabilities
7. Certificate of Completion
8. Where to start from here? 8. PASSWORD ATTACKS
1. Intro
3. INFORMATION GATHERING 2. Generating password lists
1. Intro 3. Windows passwords and hashes
2. Passive information gathering 4. Cracking hashes with John
3. Active information gathering 5. Web application passwords

4. VULNERABILITY ASSESSMENT 9. NETWORKING & SHELLS

1. Intro 1. Intro
2. Metasploitable 2 enumeration information & Vul- 2. Netcat shells
nerabilities 3. Upgrading a Netcat shell to Meterpreter
3. Vulnerability & Exploit databases
4. Nmap scripts 10. METASPLOIT
5. OpenVAS automated vulnerability scanning 1. Intro
2. Basic Commands
5. EXPLOITATION 3. Exploit Commands
1. Intro 4. Meterpreter Basics
2. How to work with exploits and where to find them
3. Compiling Linux kernel exploits
4. Compiling Windows exploits on Linux
5. Transferring exploits
6. Exploiting vulnerabilities in practice
3.2 PASSIVE INFORMATION GATHERING

Passive information gathering is the process of collecting information about a specific target from publicly
available sources. This kind of information gathering is all about ‘getting to know your target’. The process
of passive information gathering is often performed before starting the actual penetration test on the
network and often returns valuable information for other stages of the penetration test. Many companies
often leak intentionally or unintentionally information which can be picked up by hackers without even
touching the company servers. The leaked information can be combined with other information which can
be very helpful in later stages of the penetration test. Think of employee names combined with company
naming conventions for account names. Also social media and company blogs can be a great source for
passive information gathering.

Passive information gathering activities should be
focused on identifying IP addresses, (sub)domains,
external partners and services, technologies used,
people employed and any other useful information.
The information gathered from these activities could be
employees working at the company, e-mail addresses,
websites, external services used, customers, naming
conventions, E-mail & VPN systems and sometimes
even passwords. The sources which can be used for
passive enumeration are numerous and consist of the
following among many others:
• Google
• Social media like LinkedIn, Twitter & Facebook
• Company websites
• Press releases
• Forums
• Whois databases
• Data breaches
SEMI PASSIVE INFORMATION
GATHERING
Earlier we mentioned that passive information gathering
does not touch company servers or leave logs of
presence on target systems. When passive information
gathering methods do connect to (company) servers
but appear like regular traffic, we are talking about
semi passive information gathering. Semi passive
information gathering could be visiting the company
website to collect information about employees. Visiting
the company website is directly engaging with the target
because we are connecting with a company server,
or at least it’s owned and managed by the company.
Since this traffic appears like regular traffic which is not
distinct from other regular traffic it is considered semi
passive.
• CNAME records are records used for aliasing
domains. CNAME stands for canonical name and
associate sub-domains with existing domain DNS
records.
• NS record which stands for name server indicating
the authoritative name server for the domain.
• SOA records, which stands for State of Authority,
contain information about the domain like the
primary name server, a timestamp when the
domain was last updated and the responsible party
for the domain.
• PTR or pointer records mapping an IPv4 address to
the CNAME on the host.
• TXT records contain text inserted by the
administrator such as notes.
The information retrieved with DNS enumeration
consists of names servers, IP addresses of potential
targets such as mail servers, sub-domains etc. Some
tools included with Kali Linux used for DNS enumeration
are: whois, nslookup, dig, host and automated tools
like Fierce, DNSenum and DNSrecon. Let’s go through
these tools briefly and see how we can use them for
DNS enumeration.
To read further, please purchase an access pass on our
website www.virtualhackinglabs.com

DNS ENUMERATION
DNS enumeration is the process of identifying the
DNS servers and the corresponding DNS records. DNS
stands for Domain Name System which is a database
containing information about domain names and IP
addresses. The DNS records are the database records
which associate the IP with the domain name. The most
important records for DNS enumeration are the:
• A (address) records containing the IP address of the
domain.
• MX records which stand for mail exchange and
contain the mail exchange servers.
5.2 HOW TO WORK WITH EXPLOITS

In the previous chapter we have used the exploit-db website and searchsploit to verify that exploits are
available for the discovered vulnerabilities. Now we will have a look at where to go from there because
these exploits will not download, modify and execute themselves (hopefully). After we have found an
exploit for a known vulnerability we need to do a couple of things before we can safely launch it against
a target.
Most exploits are scripts written in Python, Perl, Ruby or
Bash and need to be downloaded to the attack box. On DOWNLOADING EXPLOITS
the attack box we need to analyse the exploit code to Before we can start modifying an exploit we first need
confirm that the exploit exactly does what it advertises. to download it to the attack machine. Transferring
We don’t want to open backdoors on the attack machine, exploits to target hosts will be covered in a separate
wipe an entire hard drive on the target machine with chapter since this involves very different techniques
a remote root exploit or add the machine to a botnet. and sometimes tools. The easiest ways to get exploit is
After we’ve verified that we’re dealing with an authentic by downloading them from exploit-db via a browser or
exploit we often need to make a few modifications to wget and by coping the exploit from searchsploit.
make it work for our target. These modifications can be
anything from simply adding a host, port or credentials Simply press the download button to download the
to variables to replacing bind/reverse shellcode and exploit to your machine:
modifying offsets in buffer overflow exploits.

Many exploits are written as proof of concepts (POC)

which means that these scripts prove the fact that a
target (service) is vulnerable. A proof of concept for a
remote code execution vulnerability might just execute We can also use wget to download the exploit from a
the ifconfig command and display the output on a command line:We can also use wget to download the
webpage. This is pretty useless when you want to gain exploit from a command line:
a shell on the host but it does prove that the command
in the exploit was executed. The modification for this wget [URL to exploit download] -O 35513.py
exploit would consist of replacing the ifconfig command
with a reverse or bind shell command.

Another reason to read through the exploit code is

for usage instructions. Most scripts take one or more
arguments, such as a target host, a port and sometimes
even credentials. Many exploits print the usage
instructions to the terminal by default when you execute Or we can copy the exploit from the searchsploit
them without arguments. But remember that we aren’t database:
executing anything yet in this stage. By analysing the
exploit code we can find out which arguments are
needed and how they are processed in the script. When
you’re dealing with a remote exploit that doesn’t take a
target host as argument you’re probably dealing with a
fake and potentially dangerous exploit. Be sure to copy the exploit file to another location and
not modify the original one. You might need to revert to
So far we’ve talked about exploits written in any of the the original file or need it again someday. Now that we
scripting languages such as Python and Perl which can have downloaded (or copied) the exploit we can start
be executed using an interpreter. Many other exploits analysing and modifying the exploit code.
are written in programming languages like C that need To read further, please purchase an access pass on our
to be compiled before we are able execute them. This is website www.virtualhackinglabs.com
often the case for privilege escalation exploits for Linux
and Windows. In the following chapters we will learn
how to compile local privilege escalation exploits for
Linux and Windows.

Now that we know the tasks that we’re up against before

we can start executing exploits, let’s walk through the
process by downloading, analysing, modifying and
compiling some exploits.
WWW.VIRTUALHACKINGLABS.COM