Courseware Sample
Courseware Sample
PENETRATION TESTING
COURSEWARE SAMPLE
WWW.VIRTUALHACKINGLABS.COM
INTRODUCTION
ABOUT US
The Virtual Hacking Labs is an InfoSec e-learning company focusing on practical penetration testing
training solutions. We believe that the most effective and efficient learning approach is to combine
practical scenario based training with easy to understand courseware. To fulfil this learning experience
we have created a full virtual penetration testing environment called: The Virtual Hacking Labs.
Our mission is to create the best Virtual Hacking Labs that are vulnerable to Remote Code Execution, SQL
and training materials at an affordable rate for as injection, Local File Inclusion, Remote File inclusion
much (aspiring) information security professionals and many more vulnerabilities. After getting an initial
as possible. The Virtual Hacking Labs want to provide command line shell on an exploited target, you will
continuously updated labs and courseware that can have the opportunity to practice privilege escalation
be used to maintain knowledge and skill levels that techniques that are used to upgrade the current shell
are expected from IT security professionals. We also with administrator priviliges.
want to make practical training available for anyone
aspiring a job as ethical hacker or penetration tester. LAB ACCESS
For this reason our courseware starts from the basics Access to the Virtual Hacking Labs is provided through
and gradually increases difficulty by covering more a VPN client which connects you to the network as if it
advanced subjects. is a real company network. We provide several popular
pre-configured penetration testing distributions such
as Kali Linux and Parrot Security OS. Installing the
penetration testing distribution of your choice is very
easy and usually consists of a few clicks.
VULNERABLE HOSTS
In the labs you will learn how to compromise both
Windows and Linux hosts running webservers, mail
servers, development tools and many more services
and protocols. You will also encounter network devices
PENETRATION TESTING LAB like virtual firewalls, routers and NAS systems commonly
The Virtual Hacking Labs is a penetration testing lab used in both personal and enterprise settings. Every
accompanied with extensive courseware covering the system is configured to contribute to a specific learning
most important subjects in the field of penetration experience using one or more attack vectors.
testing. The Virtual Hacking Labs contain many real
world scenarios that allow you to learn and practice
penetration testing in a safe environment. Many of
these scenarios can be found at a lot of company IT
environments and contain devices such as: Domain
Controllers, Firewalls, Linux and Windows servers,
NAS, Android devices and of course Windows and
Linux clients. All devices and machines in the labs are
configured to be intentionally vulnerable and can be
exploited in one or more ways.
RESET PANEL
The Virtual Hacking Labs reset panel can be used to
reset hosts in the lab network back to their original state.
Resetting a host is particularly useful when a host is left
in a state where it is not vulnerable anymore. Resetting
the host will give you a fresh start on the machine.
Every student is allowed to reset hosts in the lab every
15 minutes through the reset panel. This guarantees
an effective learning experience as designed without
delays.
The hints are not direct solutions for the lab machines
STUDENT PANEL but they contain enough information to push you in
All students have access to a dedicated student panel the right direction. To keep the Virtual Hacking Labs
that can be used to track your course and lab progress. challenging for everyone we only provide hints for the
This panel also provides information about the lab Beginner and Advanced machines. The Advanced+
machines, including hints for anyone that’s stuck at hosts are the final challenge and are excluded from
a specific box. This way you can choose what your hints.
learning path will look like.
CERTIFICATE OF COMPLETION After submitting the documentation we will manually
For those who managed to get root/administrator verify the information and check the authenticity of the
access on at least 20 lab machines can request a screenshots. Be sure to include your student ID and full
certificate of completion. This trophy consists of a PDF name to display on the Certificate of Completion in the
certificate with your name and a set of badges to use documentation. Also use the e-mail address you have
for social media such as LinkedIn. The VHL Certificate signed up with to the Virtual Hacking Labs. When the
of Completion is included at no additional cost with a supplied documentation and screenshots have been
month pass and greater. approved we will send the Certificate of Completion as
soon as possible.
To be eligible for the VHL Certificate of Completion you
need to: Completing the penetration testing course
1. Get root/administrator access on at least 20 lab may qualify you for 40 (ISC)² CPE and EC Council
machines. credit hours. The Certificate of Completion can
2. Supply documentation of the exploited vulnerabilities. be used as proof for completing the course.
3. Supply screenshots proving that you rooted the lab
machines.
4. Supply the contents of key.txt files from the rooted PRICING
lab machines. Access passes includes all access to our labs, online
courseware, courseware e-book and a certificate of
The documentation should at least contain information completion. Except for the week pass which does not
about the exploited vulnerabilities, such as the CVE include the certificate and the e-book version of the
ID’s, used exploits and screenshots of the exploitation courseware.
process. The screenshots should contain at least the
following information: Lab machine IP, your IP and the 1 week access $49 €46
used commands (command line, URL’s, requests etc.). 1 month access $99 €93
For privilege escalation also include screenshots with
3 month access $249 €233
the output of the id/whoami/getuid command before
and after executing the exploit. 6 month access $449 €419
1 year access $749 €699
COURSE TABLE OF CONTENTS
Passive information gathering is the process of collecting information about a specific target from publicly
available sources. This kind of information gathering is all about ‘getting to know your target’. The process
of passive information gathering is often performed before starting the actual penetration test on the
network and often returns valuable information for other stages of the penetration test. Many companies
often leak intentionally or unintentionally information which can be picked up by hackers without even
touching the company servers. The leaked information can be combined with other information which can
be very helpful in later stages of the penetration test. Think of employee names combined with company
naming conventions for account names. Also social media and company blogs can be a great source for
passive information gathering.
Passive information gathering activities should be • CNAME records are records used for aliasing
focused on identifying IP addresses, (sub)domains, domains. CNAME stands for canonical name and
external partners and services, technologies used, associate sub-domains with existing domain DNS
people employed and any other useful information. records.
The information gathered from these activities could be • NS record which stands for name server indicating
employees working at the company, e-mail addresses, the authoritative name server for the domain.
websites, external services used, customers, naming • SOA records, which stands for State of Authority,
conventions, E-mail & VPN systems and sometimes contain information about the domain like the
even passwords. The sources which can be used for primary name server, a timestamp when the
passive enumeration are numerous and consist of the domain was last updated and the responsible party
following among many others: for the domain.
• Google • PTR or pointer records mapping an IPv4 address to
• Social media like LinkedIn, Twitter & Facebook the CNAME on the host.
• Company websites • TXT records contain text inserted by the
• Press releases administrator such as notes.
• Forums
• Whois databases The information retrieved with DNS enumeration
• Data breaches consists of names servers, IP addresses of potential
targets such as mail servers, sub-domains etc. Some
SEMI PASSIVE INFORMATION tools included with Kali Linux used for DNS enumeration
GATHERING are: whois, nslookup, dig, host and automated tools
Earlier we mentioned that passive information gathering like Fierce, DNSenum and DNSrecon. Let’s go through
does not touch company servers or leave logs of these tools briefly and see how we can use them for
presence on target systems. When passive information DNS enumeration.
gathering methods do connect to (company) servers
but appear like regular traffic, we are talking about To read further, please purchase an access pass on our
semi passive information gathering. Semi passive website www.virtualhackinglabs.com
information gathering could be visiting the company
website to collect information about employees. Visiting
the company website is directly engaging with the target
because we are connecting with a company server,
or at least it’s owned and managed by the company.
Since this traffic appears like regular traffic which is not
distinct from other regular traffic it is considered semi
passive.
DNS ENUMERATION
DNS enumeration is the process of identifying the
DNS servers and the corresponding DNS records. DNS
stands for Domain Name System which is a database
containing information about domain names and IP
addresses. The DNS records are the database records
which associate the IP with the domain name. The most
important records for DNS enumeration are the:
• A (address) records containing the IP address of the
domain.
• MX records which stand for mail exchange and
contain the mail exchange servers.
5.2 HOW TO WORK WITH EXPLOITS
In the previous chapter we have used the exploit-db website and searchsploit to verify that exploits are
available for the discovered vulnerabilities. Now we will have a look at where to go from there because
these exploits will not download, modify and execute themselves (hopefully). After we have found an
exploit for a known vulnerability we need to do a couple of things before we can safely launch it against
a target.
Most exploits are scripts written in Python, Perl, Ruby or
Bash and need to be downloaded to the attack box. On DOWNLOADING EXPLOITS
the attack box we need to analyse the exploit code to Before we can start modifying an exploit we first need
confirm that the exploit exactly does what it advertises. to download it to the attack machine. Transferring
We don’t want to open backdoors on the attack machine, exploits to target hosts will be covered in a separate
wipe an entire hard drive on the target machine with chapter since this involves very different techniques
a remote root exploit or add the machine to a botnet. and sometimes tools. The easiest ways to get exploit is
After we’ve verified that we’re dealing with an authentic by downloading them from exploit-db via a browser or
exploit we often need to make a few modifications to wget and by coping the exploit from searchsploit.
make it work for our target. These modifications can be
anything from simply adding a host, port or credentials Simply press the download button to download the
to variables to replacing bind/reverse shellcode and exploit to your machine:
modifying offsets in buffer overflow exploits.