0% found this document useful (0 votes)
300 views

Courseware Sample

The Virtual Hacking Labs provides a virtual penetration testing environment for learning practical skills. It contains many vulnerable systems configured like real networks. Students use provided Kali Linux distributions to access the lab VPN and enumerate/exploit vulnerabilities like remote code execution and SQL injection. Extensive courseware teaches all phases of penetration testing, from basics to advanced topics. Students can request a certificate of completion for rooting 20+ systems by documenting their work.

Uploaded by

Scott Connolly
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
300 views

Courseware Sample

The Virtual Hacking Labs provides a virtual penetration testing environment for learning practical skills. It contains many vulnerable systems configured like real networks. Students use provided Kali Linux distributions to access the lab VPN and enumerate/exploit vulnerabilities like remote code execution and SQL injection. Extensive courseware teaches all phases of penetration testing, from basics to advanced topics. Students can request a certificate of completion for rooting 20+ systems by documenting their work.

Uploaded by

Scott Connolly
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

VIRTUAL HACKING LABS

PENETRATION TESTING
COURSEWARE SAMPLE

WWW.VIRTUALHACKINGLABS.COM
INTRODUCTION

ABOUT US
The Virtual Hacking Labs is an InfoSec e-learning company focusing on practical penetration testing
training solutions. We believe that the most effective and efficient learning approach is to combine
practical scenario based training with easy to understand courseware. To fulfil this learning experience
we have created a full virtual penetration testing environment called: The Virtual Hacking Labs.

Our mission is to create the best Virtual Hacking Labs that are vulnerable to Remote Code Execution, SQL
and training materials at an affordable rate for as injection, Local File Inclusion, Remote File inclusion
much (aspiring) information security professionals and many more vulnerabilities. After getting an initial
as possible. The Virtual Hacking Labs want to provide command line shell on an exploited target, you will
continuously updated labs and courseware that can have the opportunity to practice privilege escalation
be used to maintain knowledge and skill levels that techniques that are used to upgrade the current shell
are expected from IT security professionals. We also with administrator priviliges.
want to make practical training available for anyone
aspiring a job as ethical hacker or penetration tester. LAB ACCESS
For this reason our courseware starts from the basics Access to the Virtual Hacking Labs is provided through
and gradually increases difficulty by covering more a VPN client which connects you to the network as if it
advanced subjects. is a real company network. We provide several popular
pre-configured penetration testing distributions such
as Kali Linux and Parrot Security OS. Installing the
penetration testing distribution of your choice is very
easy and usually consists of a few clicks.

VULNERABLE HOSTS
In the labs you will learn how to compromise both
Windows and Linux hosts running webservers, mail
servers, development tools and many more services
and protocols. You will also encounter network devices
PENETRATION TESTING LAB like virtual firewalls, routers and NAS systems commonly
The Virtual Hacking Labs is a penetration testing lab used in both personal and enterprise settings. Every
accompanied with extensive courseware covering the system is configured to contribute to a specific learning
most important subjects in the field of penetration experience using one or more attack vectors.
testing. The Virtual Hacking Labs contain many real
world scenarios that allow you to learn and practice
penetration testing in a safe environment. Many of
these scenarios can be found at a lot of company IT
environments and contain devices such as: Domain
Controllers, Firewalls, Linux and Windows servers,
NAS, Android devices and of course Windows and
Linux clients. All devices and machines in the labs are
configured to be intentionally vulnerable and can be
exploited in one or more ways.

The courseware that is included with every access


pass covers all phases of penetration testing, from
enumeration to exploitation. By enumerating the lab
machines you will learn how to gather information that
can be used for vulnerability assessments and finally to We are keeping the labs up-to-date with new machines
exploit the machines. In the labs you will learn how to and recently discovered vulnerabilities with high impact
enumerate and exploit protocols such has FTP, SNMP & on a monthly basis. This is how we want to keep your
SMB. You will also learn how to exploit web applications knowledge and experience up-to-date.
Do you prefer a full black box approach and root all
TRAINING MATERIALS machines on your own or do you prefer a balance
Along with the lab access we provide all the written between theoretical and practical part of the course
courseware and documentation that is needed to learn with some help along the way?
penetration testing and be successful in the labs. We are
keeping the training material up-to-date continuously
to make sure you will learn the latest insights and
techniques in the field of ethical hacking.

The courseware is written in a way that is easily


understandable for anyone new in the field of
penetration testing. We start with the very basics of
penetration testing and gradually increase the difficulty
by covering more advanced subjects.

RESET PANEL
The Virtual Hacking Labs reset panel can be used to
reset hosts in the lab network back to their original state.
Resetting a host is particularly useful when a host is left
in a state where it is not vulnerable anymore. Resetting
the host will give you a fresh start on the machine.
Every student is allowed to reset hosts in the lab every
15 minutes through the reset panel. This guarantees
an effective learning experience as designed without
delays.
The hints are not direct solutions for the lab machines
STUDENT PANEL but they contain enough information to push you in
All students have access to a dedicated student panel the right direction. To keep the Virtual Hacking Labs
that can be used to track your course and lab progress. challenging for everyone we only provide hints for the
This panel also provides information about the lab Beginner and Advanced machines. The Advanced+
machines, including hints for anyone that’s stuck at hosts are the final challenge and are excluded from
a specific box. This way you can choose what your hints.
learning path will look like.
CERTIFICATE OF COMPLETION After submitting the documentation we will manually
For those who managed to get root/administrator verify the information and check the authenticity of the
access on at least 20 lab machines can request a screenshots. Be sure to include your student ID and full
certificate of completion. This trophy consists of a PDF name to display on the Certificate of Completion in the
certificate with your name and a set of badges to use documentation. Also use the e-mail address you have
for social media such as LinkedIn. The VHL Certificate signed up with to the Virtual Hacking Labs. When the
of Completion is included at no additional cost with a supplied documentation and screenshots have been
month pass and greater. approved we will send the Certificate of Completion as
soon as possible.
To be eligible for the VHL Certificate of Completion you
need to: Completing the penetration testing course
1. Get root/administrator access on at least 20 lab may qualify you for 40 (ISC)² CPE and EC Council
machines. credit hours. The Certificate of Completion can
2. Supply documentation of the exploited vulnerabilities. be used as proof for completing the course.
3. Supply screenshots proving that you rooted the lab
machines.
4. Supply the contents of key.txt files from the rooted PRICING
lab machines. Access passes includes all access to our labs, online
courseware, courseware e-book and a certificate of
The documentation should at least contain information completion. Except for the week pass which does not
about the exploited vulnerabilities, such as the CVE include the certificate and the e-book version of the
ID’s, used exploits and screenshots of the exploitation courseware.
process. The screenshots should contain at least the
following information: Lab machine IP, your IP and the 1 week access $49 €46
used commands (command line, URL’s, requests etc.). 1 month access $99 €93
For privilege escalation also include screenshots with
3 month access $249 €233
the output of the id/whoami/getuid command before
and after executing the exploit. 6 month access $449 €419
1 year access $749 €699
COURSE TABLE OF CONTENTS

1. PENETRATION TESTING BASICS 6. PRIVILEGE ESCALATION


1. Intro 1. Intro
2. About Penetration testing 2. Privilege escalation on Linux
3. The Penetration process explained 3. Privilege escalation on Windows
4. Jobs and professional opportunities
7. WEB APPLICATIONS
2. ACCESSING THE LABS 1. Intro
1. Intro 2. Local and Remote File Inclusion (LFI/RFI)
2. Installing Kali Linux 3. Remote Code Execution
3. VPN Access 4. Remote Command Execution
4. Reset panel 5. SQL Injection Basics
5. Rules & Restrictions 6. Web shells
6. Legal 7. File Upload Vulnerabilities
7. Certificate of Completion
8. Where to start from here? 8. PASSWORD ATTACKS
1. Intro
3. INFORMATION GATHERING 2. Generating password lists
1. Intro 3. Windows passwords and hashes
2. Passive information gathering 4. Cracking hashes with John
3. Active information gathering 5. Web application passwords

4. VULNERABILITY ASSESSMENT 9. NETWORKING & SHELLS


1. Intro 1. Intro
2. Metasploitable 2 enumeration information & Vul- 2. Netcat shells
nerabilities 3. Upgrading a Netcat shell to Meterpreter
3. Vulnerability & Exploit databases
4. Nmap scripts 10. METASPLOIT
5. OpenVAS automated vulnerability scanning 1. Intro
2. Basic Commands
5. EXPLOITATION 3. Exploit Commands
1. Intro 4. Meterpreter Basics
2. How to work with exploits and where to find them
3. Compiling Linux kernel exploits
4. Compiling Windows exploits on Linux
5. Transferring exploits
6. Exploiting vulnerabilities in practice
3.2 PASSIVE INFORMATION GATHERING

Passive information gathering is the process of collecting information about a specific target from publicly
available sources. This kind of information gathering is all about ‘getting to know your target’. The process
of passive information gathering is often performed before starting the actual penetration test on the
network and often returns valuable information for other stages of the penetration test. Many companies
often leak intentionally or unintentionally information which can be picked up by hackers without even
touching the company servers. The leaked information can be combined with other information which can
be very helpful in later stages of the penetration test. Think of employee names combined with company
naming conventions for account names. Also social media and company blogs can be a great source for
passive information gathering.

Passive information gathering activities should be • CNAME records are records used for aliasing
focused on identifying IP addresses, (sub)domains, domains. CNAME stands for canonical name and
external partners and services, technologies used, associate sub-domains with existing domain DNS
people employed and any other useful information. records.
The information gathered from these activities could be • NS record which stands for name server indicating
employees working at the company, e-mail addresses, the authoritative name server for the domain.
websites, external services used, customers, naming • SOA records, which stands for State of Authority,
conventions, E-mail & VPN systems and sometimes contain information about the domain like the
even passwords. The sources which can be used for primary name server, a timestamp when the
passive enumeration are numerous and consist of the domain was last updated and the responsible party
following among many others: for the domain.
• Google • PTR or pointer records mapping an IPv4 address to
• Social media like LinkedIn, Twitter & Facebook the CNAME on the host.
• Company websites • TXT records contain text inserted by the
• Press releases administrator such as notes.
• Forums
• Whois databases The information retrieved with DNS enumeration
• Data breaches consists of names servers, IP addresses of potential
targets such as mail servers, sub-domains etc. Some
SEMI PASSIVE INFORMATION tools included with Kali Linux used for DNS enumeration
GATHERING are: whois, nslookup, dig, host and automated tools
Earlier we mentioned that passive information gathering like Fierce, DNSenum and DNSrecon. Let’s go through
does not touch company servers or leave logs of these tools briefly and see how we can use them for
presence on target systems. When passive information DNS enumeration.
gathering methods do connect to (company) servers
but appear like regular traffic, we are talking about To read further, please purchase an access pass on our
semi passive information gathering. Semi passive website www.virtualhackinglabs.com
information gathering could be visiting the company
website to collect information about employees. Visiting
the company website is directly engaging with the target
because we are connecting with a company server,
or at least it’s owned and managed by the company.
Since this traffic appears like regular traffic which is not
distinct from other regular traffic it is considered semi
passive.

DNS ENUMERATION
DNS enumeration is the process of identifying the
DNS servers and the corresponding DNS records. DNS
stands for Domain Name System which is a database
containing information about domain names and IP
addresses. The DNS records are the database records
which associate the IP with the domain name. The most
important records for DNS enumeration are the:
• A (address) records containing the IP address of the
domain.
• MX records which stand for mail exchange and
contain the mail exchange servers.
5.2 HOW TO WORK WITH EXPLOITS

In the previous chapter we have used the exploit-db website and searchsploit to verify that exploits are
available for the discovered vulnerabilities. Now we will have a look at where to go from there because
these exploits will not download, modify and execute themselves (hopefully). After we have found an
exploit for a known vulnerability we need to do a couple of things before we can safely launch it against
a target.
Most exploits are scripts written in Python, Perl, Ruby or
Bash and need to be downloaded to the attack box. On DOWNLOADING EXPLOITS
the attack box we need to analyse the exploit code to Before we can start modifying an exploit we first need
confirm that the exploit exactly does what it advertises. to download it to the attack machine. Transferring
We don’t want to open backdoors on the attack machine, exploits to target hosts will be covered in a separate
wipe an entire hard drive on the target machine with chapter since this involves very different techniques
a remote root exploit or add the machine to a botnet. and sometimes tools. The easiest ways to get exploit is
After we’ve verified that we’re dealing with an authentic by downloading them from exploit-db via a browser or
exploit we often need to make a few modifications to wget and by coping the exploit from searchsploit.
make it work for our target. These modifications can be
anything from simply adding a host, port or credentials Simply press the download button to download the
to variables to replacing bind/reverse shellcode and exploit to your machine:
modifying offsets in buffer overflow exploits.

Many exploits are written as proof of concepts (POC)


which means that these scripts prove the fact that a
target (service) is vulnerable. A proof of concept for a
remote code execution vulnerability might just execute We can also use wget to download the exploit from a
the ifconfig command and display the output on a command line:We can also use wget to download the
webpage. This is pretty useless when you want to gain exploit from a command line:
a shell on the host but it does prove that the command
in the exploit was executed. The modification for this wget [URL to exploit download] -O 35513.py
exploit would consist of replacing the ifconfig command
with a reverse or bind shell command.

Another reason to read through the exploit code is


for usage instructions. Most scripts take one or more
arguments, such as a target host, a port and sometimes
even credentials. Many exploits print the usage
instructions to the terminal by default when you execute Or we can copy the exploit from the searchsploit
them without arguments. But remember that we aren’t database:
executing anything yet in this stage. By analysing the
exploit code we can find out which arguments are
needed and how they are processed in the script. When
you’re dealing with a remote exploit that doesn’t take a
target host as argument you’re probably dealing with a
fake and potentially dangerous exploit. Be sure to copy the exploit file to another location and
not modify the original one. You might need to revert to
So far we’ve talked about exploits written in any of the the original file or need it again someday. Now that we
scripting languages such as Python and Perl which can have downloaded (or copied) the exploit we can start
be executed using an interpreter. Many other exploits analysing and modifying the exploit code.
are written in programming languages like C that need To read further, please purchase an access pass on our
to be compiled before we are able execute them. This is website www.virtualhackinglabs.com
often the case for privilege escalation exploits for Linux
and Windows. In the following chapters we will learn
how to compile local privilege escalation exploits for
Linux and Windows.

Now that we know the tasks that we’re up against before


we can start executing exploits, let’s walk through the
process by downloading, analysing, modifying and
compiling some exploits.
WWW.VIRTUALHACKINGLABS.COM

You might also like