Important Pentest Tools You must Check

PowerUpSQL
• SysInternals
• Donut
• Chisel
• Powermad
• Burpsuite
• Metasploit
• Powershell-Suite
• Rubeus
• Fuzzdb
• gobuster
• Acunetix
• Nessus
• Cobalt Strike
• PowerSploit
• Impacket
• PingCastle
• Process Hacker
• Hashcat
• John the Ripper
• Hydra
• Aircrack-ng
• Burpsuite
• Metasploit
•Lair – Reactive attack collaboration framework and web application built with meteor.
•Pentest Collaboration Framework (PCF) – Open source, cross-platform, and portable toolkit for automating routine pentest processes with a team.
•peda – Python Exploit Development Assistance for GDB.
•Industrial Exploitation Framework (ISF) – Metasploit-like exploit framework based on routersploit designed to target Industrial Control Systems (ICS), SCADA devices, PLC firmware, and more.
•Decker – Penetration testing orchestration and automation framework, which allows writing declarative, reusable configurations capable of ingesting variables and using outputs of tools it has run as inputs to others.
•Faraday – Multiuser integrated pentesting environment for red teams performing cooperative penetration tests, security audits, and risk assessments.
• CrackMapExec – Swiss army knife for pentesting networks.
•SigPloit – Signaling security testing framework dedicated to telecom security for researching vulnerabilites in the signaling protocols used in mobile (cellular phone) operators.•
•ACLight – Script for advanced discovery of sensitive Privileged •Accounts – includes Shadow Admins.
• AQUATONE – Subdomain discovery tool utilizing various open sources producing a report that can be used as input to other tools.•
•CloudFail – Unmask server IP addresses hidden behind Cloudflare by searching old database records and detecting misconfigured DNS.
•DNSDumpster – Online DNS recon and search service.
•Mass Scan – TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
•OWASP Amass – Subdomain enumeration via scraping, web archives, brute forcing, permutations, reverse DNS sweeping, TLS certificates, passive DNS data sources, etc.
•celerystalk – Asynchronous enumeration and vulnerability scanner that “runs all the tools on all the hosts” in a configurable manner.
•kube-hunter – Open-source tool that runs a set of tests (“hunters”) for security issues in Kubernetes clusters from either outside (“attacker’s view”) or inside a cluster.
•Active Directory and Privilege Escalation (ADAPE) – Umbrella script that automates numerous useful PowerShell modules to discover security misconfigurations and attempt privilege escalation against Active Directory.
•GTFOBins – Curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
• LOLBAS (Living Off The Land Binaries and Scripts) – Documents binaries, scripts, and libraries that can be used for “Living Off The

https://github.com/enaqx/awesome-pentest

Web Application Penetration Testing – Training

Web Application Penetration Testing

Phase 1 – History

History of Internet – https://www.youtube.com/watch?v=9hIQjrMHTv4

Phase 2 – Web and Server Technology

Basic concepts of web applications, how they work and the HTTP protocol – https://www.youtube.com/watch?v=RsQ1tFLwldY&t=7s
HTML basics part 1 – https://www.youtube.com/watch?v=p6fRBGI_BY0
HTML basics part 2 – https://www.youtube.com/watch?v=Zs6lzuBVK2w
Difference between static and dynamic website – https://www.youtube.com/watch?v=hlg6q6OFoxQ
HTTP protocol Understanding – https://www.youtube.com/watch?v=JFZMyhRTVt0
Parts of HTTP Request –https://www.youtube.com/watch?v=pHFWGN-upGM
Parts of HTTP Response – https://www.youtube.com/watch?v=c9sMNc2PrMU
Various HTTP Methods – https://www.youtube.com/watch?v=PO7D20HsFsY
Understanding URLS – https://www.youtube.com/watch?v=5Jr-_Za5yQM
Intro to REST – https://www.youtube.com/watch?v=YCcAE2SCQ6k
HTTP Request & Response Headers – https://www.youtube.com/watch?v=vAuZwirKjWs
What is a cookie – https://www.youtube.com/watch?v=I01XMRo2ESg
HTTP Status codes – https://www.youtube.com/watch?v=VLH3FMQ5BIQ
HTTP Proxy – https://www.youtube.com/watch?v=qU0PVSJCKcs
Authentication with HTTP – https://www.youtube.com/watch?v=GxiFXUFKo1M
HTTP basic and digest authentication – https://www.youtube.com/watch?v=GOnhCbDhMzk
What is “Server-Side” – https://www.youtube.com/watch?v=JnCLmLO9LhA
Server and client side with example – https://www.youtube.com/watch?v=DcBB2Fp8WNI
What is a session – https://www.youtube.com/watch?v=WV4DJ6b0jhg&t=202s
Introduction to UTF-8 and Unicode – https://www.youtube.com/watch?v=sqPTR_v4qFA
URL encoding – https://www.youtube.com/watch?v=Z3udiqgW1VA
HTML encoding – https://www.youtube.com/watch?v=IiAfCLWpgII&t=109s
Base64 encoding – https://www.youtube.com/watch?v=8qkxeZmKmOY
Hex encoding & ASCII – https://www.youtube.com/watch?v=WW2SaCMnHdU

Phase 3 – Setting up the lab with BurpSuite and bWAPP

MANISH AGRAWAL

Setup lab with bWAPP – https://youtube.com/watch?v=dwtUn3giwTk&index=1&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
Set up Burp Suite – https://www.youtube.com/watch?v=hQsT4rSa_v0&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV&index=2
Configure Firefox and add certificate – https://www.youtube.com/watch?v=hfsdJ69GSV4&index=3&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
Mapping and scoping website – https://www.youtube.com/watch?v=H-_iVteMDRo&index=4&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
Spidering – https://www.youtube.com/watch?v=97uMUQGIe14&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV&index=5
Active and passive scanning – https://www.youtube.com/watch?v=1Mjom6AcFyU&index=6&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
Scanner options and demo – https://www.youtube.com/watch?v=gANi4Kt7-ek&index=7&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
Introduction to password security – https://www.youtube.com/watch?v=FwcUhcLO9iM&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV&index=8
Intruder – https://www.youtube.com/watch?v=wtMg9oEMTa8&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV&index=9
Intruder attack types – https://www.youtube.com/watch?v=N5ndYPwddkQ&index=10&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
Payload settings – https://www.youtube.com/watch?v=5GpdlbtL-1Q&index=11&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
Intruder settings – https://www.youtube.com/watch?v=B_Mu7jmOYnU&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV&index=12

ÆTHER SECURITY LAB

1 Penetration testing tool – https://www.youtube.com/watch?v=AVzC7ETqpDo&list=PLq9n8iqQJFDrwFe9AEDBlR1uSHEN7egQA&index=1
Environment Setup – https://www.youtube.com/watch?v=yqnUOdr0eVk&index=2&list=PLq9n8iqQJFDrwFe9AEDBlR1uSHEN7egQA
General concept – https://www.youtube.com/watch?v=udl4oqr_ylM&list=PLq9n8iqQJFDrwFe9AEDBlR1uSHEN7egQA&index=3
Proxy module – https://www.youtube.com/watch?v=PDTwYFkjQBE&list=PLq9n8iqQJFDrwFe9AEDBlR1uSHEN7egQA&index=4
Repeater module – https://www.youtube.com/watch?v=9Zh_7s5csCc&list=PLq9n8iqQJFDrwFe9AEDBlR1uSHEN7egQA&index=5
Target and spider module – https://www.youtube.com/watch?v=dCKPZUSOlr8&list=PLq9n8iqQJFDrwFe9AEDBlR1uSHEN7egQA&index=6
Sequencer and scanner module – https://www.youtube.com/watch?v=G-v581pXerE&list=PLq9n8iqQJFDrwFe9AEDBlR1uSHEN7egQA&index=7

Phase 4 – Mapping the application and attack surface

Spidering – https://www.youtube.com/watch?v=97uMUQGIe14&list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV&index=5
Mapping application using robots.txt – https://www.youtube.com/watch?v=akuzgZ75zrk
Discover hidden contents using dirbuster – https://www.youtube.com/watch?v=–nu9Jq07gA
Dirbuster in detail – https://www.youtube.com/watch?v=2tOQC68hAcQ
Discover hidden directories and files with intruder – https://www.youtube.com/watch?v=4Fz9mJeMNkI
Directory bruteforcing 1 – https://www.youtube.com/watch?v=ch2onB_LFoI
Directory bruteforcing 2 – https://www.youtube.com/watch?v=ASMW_oLbyIg
Identify application entry points – https://www.youtube.com/watch?v=IgJWPZ2OKO8&t=34s
Identify application entry points – https://www.owasp.org/index.php/Identify_application_entry_points_(OTG-INFO-006)
Identify client and server technology – https://www.youtube.com/watch?v=B8jN_iWjtyM

Identify server technology using banner grabbing (telnet) – https://www.youtube.com/watch?v=O67M-U2UOAg
Identify server technology using httprecon – https://www.youtube.com/watch?v=xBBHtS-dwsM
Pentesting with Google dorks Introduction – https://www.youtube.com/watch?v=NmdrKFwAw9U
Fingerprinting web server – https://www.youtube.com/watch?v=tw2VdG0t5kc&list=PLxLRoXCDIalcRS5Nb1I_HM_OzS10E6lqp&index=10
Use Nmap for fingerprinting web server – https://www.youtube.com/watch?v=VQV-y_-AN80
Review webs servers metafiles for information leakage – https://www.youtube.com/watch?v=sds3Zotf_ZY
Enumerate applications on web server – https://www.youtube.com/watch?v=lfhvvTLN60E
Identify application entry points – https://www.youtube.com/watch?v=97uMUQGIe14&list=PLDeogY2Qr-tGR2NL2X1AR5Zz9t1iaWwlM
Map execution path through application – https://www.youtube.com/watch?v=0I0NPiyo9UI
Fingerprint web application frameworks – https://www.youtube.com/watch?v=ASzG0kBoE4c

Phase 5 – Understanding and exploiting OWASP top 10 vulnerabilities

A closer look at all owasp top 10 vulnerabilities – https://www.youtube.com/watch?v=avFR_Af0KGk

IBM

Injection – https://www.youtube.com/watch?v=02mLrFVzIYU&index=1&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d
Broken authentication and session management – https://www.youtube.com/watch?v=iX49fqZ8HGA&index=2&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d
Cross-site scripting – https://www.youtube.com/watch?v=x6I5fCupLLU&index=3&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d
Insecure direct object reference – https://www.youtube.com/watch?v=-iCyp9Qz3CI&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d&index=4
Security misconfiguration – https://www.youtube.com/watch?v=cIplXL8idyo&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d&index=5
Sensitive data exposure – https://www.youtube.com/watch?v=rYlzTQlF8Ws&index=6&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d
Missing functional level access controls – https://www.youtube.com/watch?v=VMv_gyCNGpk&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d&index=7
Cross-site request forgery – https://www.youtube.com/watch?v=_xSFm3KGxh0&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d&index=8
Using components with known vulnerabilities –

https://www.youtube.com/watch?v=bhJmVBJ-F-4&index=9&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d

Unvalidated redirects and forwards – https://www.youtube.com/watch?v=L6bYKiLtSL8&index=10&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d

F5 CENTRAL

Injection – https://www.youtube.com/watch?v=rWHvp7rUka8&index=1&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD
Broken authentication and session management – https://www.youtube.com/watch?v=mruO75ONWy8&index=2&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD
Insecure deserialisation – https://www.youtube.com/watch?v=nkTBwbnfesQ&index=8&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD
Sensitive data exposure – https://www.youtube.com/watch?v=2RKbacrkUBU&index=3&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD
Broken access control – https://www.youtube.com/watch?v=P38at6Tp8Ms&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD&index=5
Insufficient logging and monitoring – https://www.youtube.com/watch?v=IFF3tkUOF5E&index=10&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD

XML external entities – https://www.youtube.com/watch?v=g2ey7ry8_CQ&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD&index=4
Using components with known vulnerabilities – https://www.youtube.com/watch?v=IGsNYVDKRV0&index=9&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD
Cross-site scripting – https://www.youtube.com/watch?v=IuzU4y-UjLw&index=7&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD
Security misconfiguration – https://www.youtube.com/watch?v=JuGSUMtKTPU&index=6&list=PLyqga7AXMtPPuibxp1N0TdyDrKwP9H_jD

LUKE BRINER

Injection explained – https://www.youtube.com/watch?v=1qMggPJpRXM&index=1&list=PLpNYlUeSK_rkrrBox-xvSkm5lgaDqKa0X
Broken authentication and session management – https://www.youtube.com/watch?v=fKnG15BL4AY&list=PLpNYlUeSK_rkrrBox-xvSkm5lgaDqKa0X&index=2
Cross-site scripting – https://www.youtube.com/watch?v=ksM-xXeDUNs&index=3&list=PLpNYlUeSK_rkrrBox-xvSkm5lgaDqKa0X
Insecure direct object reference – https://www.youtube.com/watch?v=ZodA76-CB10&list=PLpNYlUeSK_rkrrBox-xvSkm5lgaDqKa0X&index=4
Security misconfiguration – https://www.youtube.com/watch?v=DfFPHKPCofY&index=5&list=PLpNYlUeSK_rkrrBox-xvSkm5lgaDqKa0X
Sensitive data exposure – https://www.youtube.com/watch?v=Z7hafbGDVEE&list=PLpNYlUeSK_rkrrBox-xvSkm5lgaDqKa0X&index=6
Missing functional level access control – https://www.youtube.com/watch?v=RGN3w831Elo&list=PLpNYlUeSK_rkrrBox-xvSkm5lgaDqKa0X&index=7
Cross-site request forgery – https://www.youtube.com/watch?v=XRW_US5BCxk&list=PLpNYlUeSK_rkrrBox-xvSkm5lgaDqKa0X&index=8
Components with known vulnerabilities – https://www.youtube.com/watch?v=pbvDW9pJdng&list=PLpNYlUeSK_rkrrBox-xvSkm5lgaDqKa0X&index=9
Unvalidated redirects and forwards – https://www.youtube.com/watch?v=bHTglpgC5Qg&list=PLpNYlUeSK_rkrrBox-xvSkm5lgaDqKa0X&index=10

Phase 6 – Session management testing

Bypass authentication using cookie manipulation – https://www.youtube.com/watch?v=mEbmturLljU
Cookie Security Via httponly and secure Flag – OWASP – https://www.youtube.com/watch?v=3aKA4RkAg78
Penetration testing Cookies basic – https://www.youtube.com/watch?v=_P7KN8T1boc
Session fixation 1 – https://www.youtube.com/watch?v=ucmgeHKtxaI
Session fixation 2 – https://www.youtube.com/watch?v=0Tu1qxysWOk
Session fixation 3 – https://www.youtube.com/watch?v=jxwgpWvRUSo
Session fixation 4 – https://www.youtube.com/watch?v=eUbtW0Z0W1g
CSRF – Cross site request forgery 1 – https://www.youtube.com/watch?v=m0EHlfTgGUU
CSRF – Cross site request forgery 2 – https://www.youtube.com/watch?v=H3iu0_ltcv4
CSRF – Cross site request forgery 3 – https://www.youtube.com/watch?v=1NO4I28J-0s
CSRF – Cross site request forgery 4 – https://www.youtube.com/watch?v=XdEJEUJ0Fr8
CSRF – Cross site request forgery 5 – https://www.youtube.com/watch?v=TwG0Rd0hr18
Session puzzling 1 – https://www.youtube.com/watch?v=YEOvmhTb8xA
Admin bypass using session hijacking – https://www.youtube.com/watch?v=1wp1o-1TfAc

Phase 7 – Bypassing client-side controls

What is hidden forms in HTML – https://www.youtube.com/watch?v=orUoGsgaYAE
Bypassing hidden form fields using tamper data – https://www.youtube.com/watch?v=NXkGX2sPw7I
Bypassing hidden form fields using Burp Suite (Purchase application) – https://www.youtube.com/watch?v=xahvJyUFTfM
Changing price on eCommerce website using parameter tampering – https://www.youtube.com/watch?v=A-ccNpP06Zg
Understanding cookie in detail – https://www.youtube.com/watch?v=_P7KN8T1boc&list=PLWPirh4EWFpESKWJmrgQwmsnTrL_K93Wi&index=18
Cookie tampering with tamper data- https://www.youtube.com/watch?v=NgKXm0lBecc
Cookie tamper part 2 – https://www.youtube.com/watch?v=dTCt_I2DWgo
Understanding referer header in depth using Cisco product – https://www.youtube.com/watch?v=GkQnBa3C7WI&t=35s
Introduction to ASP.NET viewstate – https://www.youtube.com/watch?v=L3p6Uw6SSXs
NET viewstate in depth – https://www.youtube.com/watch?v=Fn_08JLsrmY
Analyse sensitive data in ASP.NET viewstate – https://msdn.microsoft.com/en-us/library/ms972427.aspx?f=255&MSPPError=-2147217396
Cross-origin-resource-sharing explanation with example – https://www.youtube.com/watch?v=Ka8vG5miErk
CORS demo 1 – https://www.youtube.com/watch?v=wR8pjTWaEbs
CORS demo 2 – https://www.youtube.com/watch?v=lg31RYYG-T4
Security headers – https://www.youtube.com/watch?v=TNlcoYLIGFk
Security headers 2 – https://www.youtube.com/watch?v=ZZUvmVkkKu4

Phase 8 – Attacking authentication/login

Attacking login panel with bad password – Guess username password for the website and try different combinations
Brute-force login panel – https://www.youtube.com/watch?v=25cazx5D_vw
Username enumeration – https://www.youtube.com/watch?v=WCO7LnSlskE
Username enumeration with bruteforce password attack – https://www.youtube.com/watch?v=zf3-pYJU1c4
Authentication over insecure HTTP protocol – https://www.youtube.com/watch?v=ueSG7TUqoxk
Authentication over insecure HTTP protocol – https://www.youtube.com/watch?v=_WQe36pZ3mA
Forgot password vulnerability – case 1 – https://www.youtube.com/watch?v=FEUidWWnZwU
Forgot password vulnerability – case 2 – https://www.youtube.com/watch?v=j7-8YyYdWL4
Login page autocomplete feature enabled – https://www.youtube.com/watch?v=XNjUfwDmHGc&t=33s
Testing for weak password policy – https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OTG-AUTHN-007)
Insecure distribution of credentials – When you register in any website or you request for a password reset using forgot password feature, if the website sends your username and password over the email in cleartext without sending the password reset link, then it is a
Test for credentials transportation using SSL/TLS certificate – https://www.youtube.com/watch?v=21_IYz4npRs
Basics of MySQL – https://www.youtube.com/watch?v=yPu6qV5byu4
Testing browser cache – https://www.youtube.com/watch?v=2T_Xz3Humdc
Bypassing login panel -case 1 – https://www.youtube.com/watch?v=TSqXkkOt6oM
Bypass login panel – case 2 – https://www.youtube.com/watch?v=J6v_W-LFK1c

Phase 9 – Attacking access controls (IDOR, Priv esc, hidden files and directories)

Completely unprotected functionalities

Finding admin panel – https://www.youtube.com/watch?v=r1k2lgvK3s0
Finding admin panel and hidden files and directories – https://www.youtube.com/watch?v=Z0VAPbATy1A
Finding hidden webpages with dirbusater – https://www.youtube.com/watch?v=–nu9Jq07gA&t=5s

Insecure direct object reference

IDOR case 1 – https://www.youtube.com/watch?v=gci4R9Vkulc
IDOR case 2 – https://www.youtube.com/watch?v=4DTULwuLFS0
IDOR case 3 (zomato) – https://www.youtube.com/watch?v=tCJBLG5Mayo

Privilege escalation

What is privilege escalation – https://www.youtube.com/watch?v=80RzLSrczmc
Privilege escalation – Hackme bank – case 1 – https://www.youtube.com/watch?v=g3lv 87cWM
Privilege escalation – case 2 – https://www.youtube.com/watch?v=-i4O_hjc87Y

Phase 10 – Attacking Input validations (All injections, XSS and mics)

HTTP verb tampering

Introduction HTTP verb tampering – https://www.youtube.com/watch?v=Wl0PrIeAnhs
HTTP verb tampering demo – https://www.youtube.com/watch?v=bZlkuiUkQzE

HTTP parameter pollution

Introduction HTTP parameter pollution – https://www.youtube.com/watch?v=Tosp-JyWVS4
HTTP parameter pollution demo 1 – https://www.youtube.com/watch?v=QVZBl8yxVX0&t=11s
HTTP parameter pollution demo 2 – https://www.youtube.com/watch?v=YRjxdw5BAM0
HTTP parameter pollution demo 3 – https://www.youtube.com/watch?v=kIVefiDrWUw

XSS – Cross site scripting

Introduction to XSS – https://www.youtube.com/watch?v=gkMl1suyj3M

What is XSS – https://www.youtube.com/watch?v=cbmBDiR6WaY
Reflected XSS demo – https://www.youtube.com/watch?v=r79ozjCL7DA
XSS attack method using burpsuite – https://www.youtube.com/watch?v=OLKBZNw3OjQ
XSS filter bypass with Xenotix – https://www.youtube.com/watch?v=loZSdedJnqc
Reflected XSS filter bypass 1 – https://www.youtube.com/watch?v=m5rlLgGrOVA
Reflected XSS filter bypass 2 – https://www.youtube.com/watch?v=LDiXveqQ0gg
Reflected XSS filter bypass 3 – https://www.youtube.com/watch?v=hb_qENFUdOk
Reflected XSS filter bypass 4 – https://www.youtube.com/watch?v=Fg1qqkedGUk
Reflected XSS filter bypass 5 – https://www.youtube.com/watch?v=NImym71f3Bc
Reflected XSS filter bypass 6 – https://www.youtube.com/watch?v=9eGzAym2a5Q
Reflected XSS filter bypass 7 – https://www.youtube.com/watch?v=ObfEI84_MtM
Reflected XSS filter bypass 8 – https://www.youtube.com/watch?v=2c9xMe3VZ9Q
Reflected XSS filter bypass 9 – https://www.youtube.com/watch?v=-48zknvo7LM
Introduction to Stored XSS – https://www.youtube.com/watch?v=SHmQ3sQFeLE
Stored XSS 1 – https://www.youtube.com/watch?v=oHIl_pCahsQ
Stored XSS 2 – https://www.youtube.com/watch?v=dBTuWzX8hd0
Stored XSS 3 – https://www.youtube.com/watch?v=PFG0lkMeYDc
Stored XSS 4 – https://www.youtube.com/watch?v=YPUBFklUWLc
Stored XSS 5 – https://www.youtube.com/watch?v=x9Zx44EV-Og

SQL injection

Part 1 – Install SQLi lab – https://www.youtube.com/watch?v=NJ9AA1_t1Ic&index=23&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 2 – SQL lab series – https://www.youtube.com/watch?v=TA2h_kUqfhU&index=22&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 3 – SQL lab series – https://www.youtube.com/watch?v=N0zAChmZIZU&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=21
Part 4 – SQL lab series – https://www.youtube.com/watch?v=6pVxm5mWBVU&index=20&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 5 – SQL lab series – https://www.youtube.com/watch?v=0tyerVP9R98&index=19&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 6 – Double query injection – https://www.youtube.com/watch?v=zaRlcPbfX4M&index=18&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 7 – Double query injection . – https://www.youtube.com/watch?v=9utdAPxmvaI&index=17&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 8 – Blind injection boolean based – https://www.youtube.com/watch?v=u7Z7AIR6cMI&index=16&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 9 – Blind injection time based – https://www.youtube.com/watch?v=gzU1YBu_838&index=15&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 10 – Dumping DB using outfile – https://www.youtube.com/watch?v=ADW844OA6io&index=14&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 11 – Post parameter injection error based – https://www.youtube.com/watch?v=6sQ23tqiTXY&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=13
Part 12 – POST parameter injection double query based – https://www.youtube.com/watch?v=tjFXWQY4LuA&index=12&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 13 – POST parameter injection blind boolean and time based – https://www.youtube.com/watch?v=411G-4nH5jE&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=10
Part 14 – Post parameter injection in UPDATE query – https://www.youtube.com/watch?v=2FgLcPuU7Vw&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=11

Part 15 – Injection in insert query – https://www.youtube.com/watch?v=ZJiPsWxXYZs&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=9
Part 16 – Cookie based injection – https://www.youtube.com/watch?v=-A3vVqfP8pA&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=8
Part 17 – Second order injection –https://www.youtube.com/watch?v=e9pbC5BxiAE&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=7
Part 18 – Bypassing blacklist filters – 1 – https://www.youtube.com/watch?v=5P-knuYoDdw&index=6&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 19 – Bypassing blacklist filters – 2 – https://www.youtube.com/watch?v=45BjuQFt55Y&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=5
Part 20 – Bypassing blacklist filters – 3 – https://www.youtube.com/watch?v=c-Pjb_zLpH0&index=4&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro
Part 21 – Bypassing WAF – https://www.youtube.com/watch?v=uRDuCXFpHXc&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=2
Part 22 – Bypassing WAF – Impedance mismatch – https://www.youtube.com/watch?v=ygVUebdv_Ws&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=3
Part 23 – Bypassing addslashes – charset mismatch –

https://www.youtube.com/watch?v=du-jkS6-sbo&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro&index=1

NoSQL injection

Introduction to NoSQL injection – https://www.youtube.com/watch?v=h0h37-Dwd_A
Introduction to SQL vs NoSQL – Difference between MySQL and MongoDB with tutorial – https://www.youtube.com/watch?v=QwevGzVu_zk
Abusing NoSQL databases – https://www.youtube.com/watch?v=lcO1BTNh8r8
Making cry – attacking NoSQL for pentesters – https://www.youtube.com/watch?v=NgsesuLpyOg

Xpath and XML injection

Introduction to Xpath injection – https://www.youtube.com/watch?v=2_UyM6Ea0Yk&t=3102s
Introduction to XML injection – https://www.youtube.com/watch?v=9ZokuRHo-eY
Practical 1 – bWAPP – https://www.youtube.com/watch?v=6tV8EuaHI9M
Practical 2 – Mutillidae – https://www.youtube.com/watch?v=fV0qsqcScI4
Practical 3 – webgoat – https://www.youtube.com/watch?v=5ZDSPVp1TpM
Hack admin panel using Xpath injection – https://www.youtube.com/watch?v=vvlyYlXuVxI
XXE demo – https://www.youtube.com/watch?v=3B8QhyrEXlU
XXE demo 2 – https://www.youtube.com/watch?v=UQjxvEwyUUw
XXE demo 3 – https://www.youtube.com/watch?v=JI0daBHq6fA

LDAP injection

Introduction and practical 1 – https://www.youtube.com/watch?v=-TXFlg7S9ks
Practical 2 – https://www.youtube.com/watch?v=wtahzm_R8e4

OS command injection

OS command injection in bWAPP – https://www.youtube.com/watch?v=qLIkGJrMY9k
bWAAP- OS command injection with Commiux (All levels) – https://www.youtube.com/watch?v=5-1QLbVa8YE

Local file inclusion

Detailed introduction – https://www.youtube.com/watch?v=kcojXEwolIs
LFI demo 1 – https://www.youtube.com/watch?v=54hSHpVoz7A

LFI demo 2 – https://www.youtube.com/watch?v=qPq9hIVtitI

Remote file inclusion

Detailed introduction – https://www.youtube.com/watch?v=MZjORTEwpaw
RFI demo 1 – https://www.youtube.com/watch?v=gWt9A6eOkq0
RFI introduction and demo 2 – https://www.youtube.com/watch?v=htTEfokaKsM

HTTP splitting/smuggling

Detailed introduction – https://www.youtube.com/watch?v=bVaZWHrfiPw
Demo 1 – https://www.youtube.com/watch?v=mOf4H1aLiiE

Phase 11 – Generating and testing error codes

Generating normal error codes by visiting files that may not exist on the server – for example visit php or chintan.aspx file on any website and it may redirect you to 404.php or 404.aspx or their customer error page. Check if an error page is generated by default web server or application framework or a custom page is displayed which does not display any sensitive information.
Use BurpSuite fuzzing techniques to generate stack trace error codes – https://www.youtube.com/watch?v=LDF6OkcvBzM

Phase 12 – Weak cryptography testing

SSL/TLS weak configuration explained – https://www.youtube.com/watch?v=Rp3iZUvXWlM
Testing weak SSL/TLS ciphers – https://www.youtube.com/watch?v=slbwCMHqCkc
Test SSL/TLS security with Qualys guard – https://www.youtube.com/watch?v=Na8KxqmETnw
Sensitive information sent via unencrypted channels – https://www.youtube.com/watch?v=21_IYz4npRs

Phase 12 – Business logic vulnerability

What is a business logic flaw – https://www.youtube.com/watch?v=ICbvQzva6lE&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI
The Difficulties Finding Business Logic Vulnerabilities with Traditional Security Tools – https://www.youtube.com/watch?v=JTMg0bhkUbo&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=2
How To Identify Business Logic Flaws – https://www.youtube.com/watch?v=FJcgfLM4SAY&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=3
Business Logic Flaws: Attacker Mindset – https://www.youtube.com/watch?v=Svxh9KSTL3Y&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=4
Business Logic Flaws: Dos Attack On Resource – https://www.youtube.com/watch?v=4S6HWzhmXQk&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=5
Business Logic Flaws: Abuse Cases: Information Disclosure – https://www.youtube.com/watch?v=HrHdUEUwMHk&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=6

Business Logic Flaws: Abuse Cases: iPod Repairman Dupes Apple – https://www.youtube.com/watch?v=8yB_ApVsdhA&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=7
Business Logic Flaws: Abuse Cases: Online Auction – https://www.youtube.com/watch?v=oa_UICCqfbY&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=8
Business Logic Flaws: How To Navigate Code Using ShiftLeft Ocular – https://www.youtube.com/watch?v=hz7IZu6H6oE&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=9
Business Logic Security Checks: Data Privacy Compliance – https://www.youtube.com/watch?v=qX2fyniKUIQ&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=10
Business Logic Security Checks: Encryption Compliance – https://www.youtube.com/watch?v=V8zphJbltDY&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=11
Business Logic Security: Enforcement Checks – https://www.youtube.com/watch?v=5e7qgY_L3UQ&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=12
Business Logic Exploits: SQL Injection – https://www.youtube.com/watch?v=hcIysfhA9AA&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=13
Business Logic Exploits: Security Misconfiguration – https://www.youtube.com/watch?v=ppLBtCQcYRk&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=15
Business Logic Exploits: Data Leakage – https://www.youtube.com/watch?v=qe0bEvguvbs&list=PLWoDr1kTbIxKZe_JeTDIcD2I7Uy1pLIFI&index=16
Demo 1 – https://www.youtube.com/watch?v=yV7O-QRyOao
Demo 2 – https://www.youtube.com/watch?v=mzjTG7pKmQI
Demo 3 – https://www.youtube.com/watch?v=A8V_58QZPMs
Demo 4 – https://www.youtube.com/watch?v=1pvrEKAFJyk
Demo 5 – https://hackerone.com/reports/145745
Demo 6 – https://hackerone.com/reports/430854

Phase 13 – WAF Bypass

https://waf-bypass.com/

OSINT and Ephemeral exposures

OSINT and Ephemeral Cloud Native exposures

Tools

Attack Surface Mapper – https://www.blackhat.com/us-19/arsenal/schedule/index.html#attack-surface-mapper-automate-and-simplify-the-osint-process-16713
Public Cloud Security – https://cloudsploit.com/github
https://sysdig.com/
https://www.twistlock.com/
Upguard – https://www.itnews.com.au/news/data-from-nokias-interception-kit-for-russian-telcos-exposed-531186

Penetration Testing

Advice on how to get the most from penetration testing

https://www.ncsc.gov.uk/guidance/penetration-testing

Penetration testing is a core tool for analysing the security of IT systems, but it’s not a magic bullet.

This guidance will help you understand the proper commissioning and use of penetration tests. It will also help you to plan your routine security measures so that you gain maximum benefit from this powerful but expensive operation.

For details of the processes used by CHECK-approved penetration testers, go here.

What is penetration testing?

For the purposes of this article, we will define penetration testing as: “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”

Penetration testing should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.

A penetration test should be thought of as similar to a financial audit. Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient.

Pen Testing: The ideal

In an ideal world, you should know what the penetration testers are going to find, before they find it. Armed with a good understanding of the vulnerabilities present in your system, you can use third-party tests to verify your own expectations.

Highly experienced penetration testers may find subtle issues which your internal processes have not picked up, but this should be the exception, not the rule. The aim should always be to use the findings of a penetration test report to improve your organisation’s internal vulnerability assessment and management processes.

What should a penetration test tell you?

Typically, penetration tests are used to identify the level of technical risk emanating from software and hardware vulnerabilities. Exactly what techniques are used, what targets are allowed, how much knowledge of the system is given to the testers beforehand and how much knowledge of the test is given to system administrators can vary within the same test regime.

A well-scoped penetration test can give confidence that the products and security controls tested have been configured in accordance with good practice and that there are no common or publicly known vulnerabilities in the tested components, at the time of the test.

What sort of system should be tested?

Penetration Testing is an appropriate method for identifying the risks present on a specific, operational system consisting of products and services from multiple vendors. It could also be usefully applied to systems and applications developed ‘in-house’.

For product-specific testing, it is not an appropriate technique.

Using penetration testing effectively

A penetration test can only validate that your organisation’s IT systems are not vulnerable to known issues on the day of the test.

It’s not uncommon for a year or more to elapse between penetration tests. So, vulnerabilities could exist for long periods of time without you knowing about them if this is your only means of validating security.

Third party penetration tests should be performed by qualified and experienced staff only. By their nature, penetration tests cannot be entirely procedural, an exhaustive set of test cases cannot be drawn up. Therefore, the quality of a penetration test is closely linked to the abilities of the penetration testers involved.

The NCSC recommends that HMG organisations use testers and companies which are part of the CHECK scheme. Non-governmental organisations should use teams qualified under one of these certification schemes: CREST, Tiger scheme, Cyber Scheme.

Types of testing

Penetration testers can be used to perform a wide-range of testing. The following list is illustrative, not comprehensive.

1. Test basis

Tests can be carried out by testers armed with varying amounts of information about your system:

Whitebox testing – Full information about the target is shared with the testers. This type of testing confirms the efficacy of internal vulnerability assessment and management controls by identifying the existence of known software vulnerabilities and common misconfigurations in an organisation’s systems.
Blackbox testing – No information is shared with the testers about the internals of the target. This type of testing is performed from an external perspective and is aimed at identifying ways to access an organisation’s internal IT assets. This more accurately models the risk faced from attackers that are unknown or unaffiliated to the target organisation. However, the lack of information can also result in vulnerabilities remaining undiscovered in the time allocated for testing.

2. Test type

Each of the tests described below can be run as either a blackbox or whitebox operation:

Vulnerability identification in bespoke or niche software – Most commonly used in web applications. This type of testing must give feedback to developers on coding practices which avoid introducing the categories of vulnerability identified.
Scenario driven testing aimed at identifying vulnerabilities – The penetration testers explore a particular scenario to discover whether it leads to a vulnerability in your defences. Scenario’s include: Lost laptop, unauthorised device connected to internal network, and compromised DMZ host, but there are many others possible. You should consider, based on previous incidents, which scenarios are most relevant to your organisation.
Scenario driven testing of detection and response capability – In this version of scenario driven testing, the aim is to also gauge the detection and response capabilities your organisation has in place. This will help you understand their efficacy and coverage in the particular scenario. This is an area of current work by the NCSC, further information will be available shortly, please contact us if you have a particular need in this area.

Note

If you have a particular scenario that requires additional assurance, a specifically targeted penetration test may be a good way to obtain that assurance. A suitably qualified penetration testing team will be able to guide you through the selection and scoping process required in this case.

Your testing regime

It’s critically important to note that a planned penetration test doesn’t mean your normal testing regime should cease to include security tests on the target system. Functional testing of security controls should still occur.

Assessing whether defined security controls are functioning is not a valuable use of penetration testing resources.

A functional testing plan should always include positive tests (such as “The logon box comes up every time you try to log in and you aren’t just allowed in”).

Negative testing may be included in your functional testing plan where the skills to perform it are available within your organisation (for example, verifying that ‘You can’t log in without the correct password’).

A model penetration test engagement

A typical penetration test will follow this pattern: Initial engagement, scoping, testing, reporting and follow up. There should be a severity rating for any issues found.

For this model we assume that:

You wish to know what the impact of an attacker exploiting a vulnerability would be, and how likely it is to occur
You have an internal vulnerability assessment and management process

Initial engagement of the external team

You should ensure that the external team has the relevant qualifications and skills to perform testing on your IT estate. If you have any unusual systems (mainframes, uncommon networking protocols, bespoke hardware etc.) these should be highlighted in the bid process so that the external teams know what skill sets will be required.

Scoping

Scoping a penetration test should involve:

All relevant risk owners
Technical staff knowledgeable about the target system
A representative of the penetration test team

Where the goal of the test is to ensure good vulnerability management:

Risk owners should outline any areas of special concern
Technical staff should outline the technical boundaries of the organisation’s IT estate
The penetration test team should identify what testing they believe will give a full picture of the vulnerability status of the estate

Assuming you have one, a current vulnerability assessment should be shared with the testers at this stage. Testing can then be designed to support a reasonable opinion on the accuracy and completeness of the internal vulnerability assessment.

Special requirements

During scoping, you should outline any issues which might impact on testing. This might include the need for out-of-hours testing, any critical systems where special handling restrictions are required, or other issues specific to your organisation.

Plan of action

The output of the scoping exercise should be a document stating:

The technical boundaries of the test
The types of test expected
The timeframe and the amount of effort necessary to deliver the testing – usually given in terms of resource days
Depending on the type of approach agreed, this document may also contain a number of scenarios or specific ‘use cases’ to test
The penetration testing team’s requirements.This will allow you to do any necessary preparation before the date of the test. For example, by creating test accounts or simply allocating desk space
Any compliance or legislative requirements that the testing plan must meet
Any specific reporting requirements, for example the inclusion of CVSS scores or use of CHECK severity levels
Any specific time constraints on testing or reporting, that a penetration testing company will need to consider when allocating resources

Testing

Staying in contact

During the test phase, you should ensure that a technical point of contact is available at all times. The point of contact does not need to spend all their time working with the test team but should be available at short notice. This allows the test team to raise any critical issues found during testing, and resolve problems which are blocking their testing (such as network misconfiguration).

Taking care

The testers should make every effort to avoid causing undue impact to the system being tested. However, due to the nature of penetration testing, it’s impossible to guarantee that no unexpected reactions to testing will occur.

Changing scope

During a penetration test or security assessment, the testing team may identify additional systems or components which lie outside of the testing scope but have a potential impact on the security of the system(s) which have been defined as in scope.

In this event, the testing team may either suggest a change to the scope, which is likely to alter testing time frames and cost, or they may recommend that the exclusion of such components be recorded as a limitation on testing.

The decision on which would be the preferred option will generally be down to the risk owner, with the penetration team responsible for clearly articulating the factors to consider.

Reporting

The test report should include:

Any security issues uncovered
An assessment by the test team as to the level of risk that each vulnerability exposes the organisation or system to
A method of resolving each issue found
An opinion on the accuracy of your organisation’s vulnerability assessment
Advice on how to improve your internal vulnerability assessment process

A debriefing can also be useful. At this meeting the test team run through their findings and you can request further information or clarification of any issues.

Severity rating

When rating vulnerabilities it is common for penetration testers (often at customer behest) to use the Common Vulnerability Scoring System which attempts to give a numerical score identifying the severity of a vulnerability.

To simplify this measurement, CHECK reports are required to state the level of risk as HIGH, MEDIUM, LOW or INFORMATIONAL in descending order of criticality. For CHECK reports, scoring systems such as CVSS may be used in addition to (but not in place of) this.

Whilst vulnerabilities are ordinarily categorised at one of these levels in a consistent manner, exceptions can sometimes occur. For example, other mitigating controls in place could minimise the effectiveness of a vulnerability, or the presence of additional vulnerabilities could have a synergistic effect.

Any deviation from associating a vulnerability with its standard rating should be documented and justified by the penetration testing team.

Follow up on the report

Do your own assessment

The penetration test report should be assessed by your organisation’s vulnerability management group in a similar manner to the results of an internal vulnerability assessment.

The penetration test team will have rated each issue found and given a potential solution. However, it’s important to note that risk assessment and decisions on the application of fixes are your responsibility.

The test team may not have had access to all details about a specific system or the potential business impact of the exploitation of a vulnerability. Consequently, they may rate issues either lower or higher than you. This process of assessing vulnerability levels should not be used to downplay issues – it should be a process of looking at issues and identifying the risk to your organisation.

2. Previously unknown vulnerabilities

Any vulnerabilities identified by the penetration test which you did not previously know about should be given special attention, with the aim of identifying ways in which you might go about spotting such issues in future.

3. Choosing solutions

The solutions proposed by your penetration testers may not be the only ones possible. You should take advice from your own technical staff and suppliers on alternatives.

As an example, imagine your pen testers have suggested patching a piece of software. You should ask yourself, ‘Is this the only solution to the problem?’ It may be possible to simply uninstall the software if it’s not actually required, or other controls could be put in place to limit exposure to the vulnerability. It may even be that additional monitoring of the vulnerable component is sufficient to reduce the risk to an acceptable level.

Vulnerability risk assessment and mitigation is a business process and should not be wholly outsourced to the test team

OSCP Intro Letter

Dear Applicant,
Thank you for your interest in Penetration Testing with Kali Linux. Please read this entire email carefully as it contains very important information.

Course Prerequisites

To be successful, you must have basic Linux skills – meaning you need to be able to navigate through the Linux filesystem, run simple commands, edit files, and be comfortable at the command line in general. We also recommend being familiar with Bash scripting with basic Perl, Python, or Ruby skills being considered a plus. A solid understanding of TCP/IP including addressing, routing, and subnetting basics are required as well.

Course Information

The Penetration Testing with Kali Linux (PWK) online course is comprised of downloadable videos totaling over eight hours in length and an approximately 350 page PDF lab guide. If you haven’t already done so, you can view the course syllabus and objectives at the following link:

Penetration Testing with Kali Linux Syllabus ^[1]

In addition to these study materials, you will receive access to our online labs where you can practice various attack techniques safely and legally. You can purchase VPN lab access for 30, 60, or 90 days in duration. The lab time begins when you receive your course materials as the content is intended to be practiced as you progress through the course. Based on previous student experiences, we recommend you begin with the 60 day option. Please note that once purchased, lab time is non-refundable.

The cost for this course with 30 days of labs is: 800$ USD
The cost for this course with 60 days of labs is: 1000$ USD
The cost for this course with 90 days of labs is: 1150$ USD

The certification exam is included in the fees above.

We only accept payment via major credit cards, debit cards, and e-wallets.

The time required to complete the course exercises depends on your technical background however, the average reported time by our students is a minimum of 100 hours. Note that this estimate only reflects the time to complete the course exercises and does not include the time needed to attack the various lab systems, which can vary from weeks to months depending on background, aptitude, and available time. Generally we find that 60 days of lab time is suitable for the average student.

You will be able to watch the videos and read the lab guide offline, however the VPN labs require a solid Internet connection – high speed ADSL or cable connection (512/256 minimum). Our labs contain various configurations of Windows and Linux machines with specialized software packages and pentesting applications.

Online Lab Access

Our online VPN lab environment is a critical component of the course and you are provided access along with your course materials on your start date. You may not receive your course materials prior to your lab access as you are expected to work through the course exercises in the lab environment.

Lab access is provided as a consecutive block of time and is non-refundable. You may only pause your lab account under exceptional circumstances and only with valid, written justification. When lab time is paused, resources are still allocated in our lab which remain idle that prevent other students from being able to occupy your position in the labs.

Support Terms

Please note that Penetration Testing with Kali Linux is a self-paced and self-directed course that does not have any official support. In order to be successful, a great deal of independent study and research beyond the presented materials is required. You are expected to conduct extra research in order to compromise various hosts or complete the course exercises.

Our student administrators are available primarily to assist with technical issues related to the online labs but can also provide occasional hints or guidance after a student has demonstrated that they have already put in substantial effort before asking for assistance. We do however have active student forums where help might be found if needed. To get a better understanding of the effort and level of work required in the course, we recommend you refer to our Course Reviews ^[2] page where you will find numerous unsolicited reviews written by our alumni.

The typical administrative hours for the orders department are 1400 – 2200 GMT and our student administrators are typically online from 0800 – 0300 GMT.

Certification Information

The Offensive Security Certified Professional (OSCP) ^[3] certification challenge is an online exam. You will connect to our exam VPN lab remotely and have 23 hours and 45 minutes to complete the challenge and an additional 24 hours to submit your documentation by email. In addition to meeting the certification exam objectives, you must submit an exam penetration test report in order to be awarded your OSCP designation.

You must schedule the challenge within 90 days of the expiration of your lab time.

Penetration Testing with Kali Linux may qualify you for 40 ISC2 CPE Credits. This applies to students who submit their exercises and documentation at the end of the course or pass the certification challenge. CISSPs can register the Offensive Security training at the ISC2 website. Please note that we cannot register the CPEs on your behalf.

Continue Registration

We open a course every Sunday and recommend that students begin the registration process 15 – 30 days before their desired start date. If you would like to sign up for the Penetration Testing with Kali Linux course, please follow the link below in order to continue your registration. It is very important that you register with your legal name. You will have the opportunity to change this after passing your certification if you would like your certificate to read differently.

Our students usually provide us with a corporate email address or an address that can somehow help provide proof of identity. Email addresses from Internet Service Providers (ISP) or free email providers such as Hotmail or Gmail (including paid versions), are not accepted without a scanned ID.
If you are unable to provide an alternate non-free address that allows us to get basic verification, we will require a scanned copy of your valid government issued ID in color, such as a driver’s license or passport. For IDs in the form of a card, please include a scan of both the front and back of the card.

We need to be able to see your photo, full name, address (if applicable), year of birth and the expiration date of the ID. You may blur the ID number. Expired IDs are not accepted.

You may also send a photo of your ID if a scanner is not available as long as the image is clear and not blurry.

If you choose to send a scanned ID, you may blur the ID number and send it to [email protected] (please do so only after you use the link below and provide the required information).
Note that a registration request with a free email address will be ignored.

Register for Penetration Testing with Kali Linux ^[4]

The above registration link will be valid for the next 72 hours. You will be required to submit a new request in the future via our website if you do not use this link in the allotted time.

Do not hesitate to contact us with any questions.

Sincerely,
The Offensive Security Team
www.offensive-security.com

[1]: https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf
[2]: https://www.offensive-security.com/testimonials-and-reviews/
[3]: https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/
[4]: https://www.offensive-security.com/signup.php?md=2cf4fd5e2380e823a225d78c56cf5cc3&ver=1dssv65332

Path to Hack

http://try2hack.nl/levels/
https://hackthissite.org/
http://dvwa.co.uk/
http://testasp.vulnweb.com/
http://www.vulnweb.com/

Resources

OSCP Reporting templates
- https://github.com/noraj/OSCP-Exam-Report-Template-Markdown?fbclid=IwAR0CAe28YHZeRIeLihyWqjMNMcELRM0pdfzGStJCEvMREp9BUZQqBb_6SfE

Bug Bounties

No alternative text description for this image

HackerOne
Bugcrowd
https://yeswehack.com/programs
https://www.vulnmachines.com/
Vulnerability Lab
Fire Bounty
https://www.hackthebox.eu/
https://tryhackme.com/signup
Bug Bounty Methodologies
- https://www.linkedin.com/posts/hackingarticles_bug-hunting-methodology-activity-6731105184459571201-1qJB

Targets

Web/API
Mobile App/API

Tools

Selenium Testing
http://webbreaker.io/
Automation
- https://www.jhaddix.com/post/the-secrets-of-automation-kings-in-bug-bounty

Companies

Microsoft – https://msrc-blog.microsoft.com/2019/08/05/azure-security-lab-a-new-space-for-azure-research-and-collaboration/
DOD –
Apple
Spotify

PenTesting / Scanning Cached/Load Balanced Targets

As part of the PCI Certification process, external facing application that are in scope of the PCI environment require a PCI ASV scan. If these external facing applications are using load balancing and/or caching, please be aware of the following; (Examples of Load Balancers include; F5 LTM, AWS Elastic Load Balancer/ AWS CloudFront.)

Any load balancer using a full proxy architecture will establish a TCP connection to the virtual load balanced IP or VIP and the load balancer will proxy your scans and connection requests to a pool of backend applications servers. The rules on your load balancer determine which member of the pool gets that second connection. This means that you have no way of knowing which pool member you have scanned. The IP of the backend server will not be returned to the initial host, the one from which you established the initial TCP connection (to the VIP). To allow a PCI ASV scan, please add scanning origin to temporarily allow direct scans of your servers.

Please consider the following when determining the number of IP address required for External Scan;

There are no load balancers in front of any in-scope servers:
- External IP address / URL counted as individual IPs.
All servers behind load balancers are identical and synchronized:
- The external facing VIP or load balanced URL/IP is counted as an individual IP (Allow scanning origin to temporarily allow direct scans of your servers.)
Servers behind load balancers not identical and not synchronized:
- Need to scan each individual IP instead of the VIP. (Allow scanning origin to temporarily allow direct scans of all servers.)

Pentesting Akamai – the_pentesters_guide_to_akamai

Mailware analysis

Debuggers – gdb, WinDBG, OllyDBG
Operating System Primer – https://www.slideshare.net/saumilshah/operating-systems-a-primer
How functions work – https://www.slideshare.net/saumilshah/how-functions-work-7776073
Introduction to Debuggers – https://www.slideshare.net/saumilshah/introduction-to-debuggers
Return Oriented Programming – https://www.slideshare.net/saumilshah/dive-into-rop-a-quick-introduction-to-return-oriented-programming
https://www.winitor.com/
RawDisk – https://www.eldos.com/rawdisk/
Cuckoo – https://cuckoosandbox.org/

PenTesting Methodology

Security Colony - Detail 2019-04-17 22-10-24.png

F3EAD Model

Find: essentially ‘picking up the scent’ of the opponent, with the classic “Who, What, When, Where, Why” questions being used within this phase to identify a candidate target
Fix: verification of the target(s) identified within the previous phase, which typically involves multiple triangulation points. This phase effectively transforms the intelligence gained within the “Find” phase into evidence that can be used as basis for action within the next stage
Finish: based on the evidence generated from the previous two phases the commander of the operation imposed their will on the target
Exploit: deconstruction of the evidence generated from the finish phase
Analyze: fusing the exploited evidence with the wider intelligence picture
Dissemination: finally publishing the results of the research to key stakeholder

Identify Target Environment

Wireless
Web Application
MITRE ATT&C – https://attack.mitre.org/wiki/Main_Page
External Network Infrastructure
Internal Network Infrastructure
Database Infrastructure
Social Engineering
Physical Security
SCADA
IoT
https://www.faradaysec.com/#why-faraday
0
RedTeamOperations

Reconnaissance

Kali Cheatsheet

The following is a list of improvements to the Kali distro to turbo charge your Pen Test tool kit..

Kali VM Username and Password: kali/kali

Fresh Install

Setup Kali on AWS – https://www.alienvault.com/blogs/security-essentials/configuring-kali-linux-on-amazon-aws-cloud-for-free
Use Generation 1 in Hyper-V
Install VM Guest Tools
1. https://www.kali.org/docs/virtualization/install-vmware-guest-tools/
sudo su
sudo apt-get install asciinema
asciinema rec / exit
lsb_release -a
apt-get update && apt-cache search kali-linux-full
apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y
sudo dpkg –configure -a
apt-get autoremove
reboot
Install Vmware Tools and shared folders
1. sudo apt update && sudo apt full-upgrade -y && sudo apt install kali-themes
2. sudo apt install -y –reinstall open-vm-tools-desktop fuse
3. usr/bin/vmware-hgfsclient
4. cd /mnt/hgfs/
5. ln -sf /usr/local/sbin/mount-shared-folders ~/Desktop/mount-shared-folders gsettings set org.gnome.nautilus.preferences executable-text-activation ‘ask’
6. https://www.kali.org/docs/virtualization/install-vmware-tools-kali-guest/
7. sudo mount -t vmhgfs .host:/Desktop /mnt/hgfs
8. sudo mount -t fuse.vmhgfs-fuse .host:/Downloads /mnt/hgfs/Downloads -o allow_other
9. nano /etc/fstab
10. hosts:/Downloads /mnt/hgfs/Downloads fuse.vmhgfs-fuse allow_other
11. mount -t vmhgfs .host:/Desktop /mnt/hgfs
12. sudo mount -t fuse.vmhgfs-fuse .host:/Downloads /mnt/hgfs/Downloads -o allow_other
13. nano /etc/fstab Hosts:/Downloads /mnt/hgfs/Downloads fuse.vmhgfs-fuse allow_other
Set Root password
1. sudo su –
2. passwd

Install Applications

Install Tmux
Install Axiom – https://github.com/mikeiacovacci/axiom-framework
Install disk Util
- sudo apt-get install gnome-disk-utility
Mount USB
- //Mount USB
  fdisk -l mkdir
  /mnt/usb mount -v -t auto /dev/sdf1 /mnt/usb
  cd /mnt/usb/
  umount /dev/sdf1
Install Android SDK
- apt-get install android-sdk
- apt-get install openjdk-7-jre openjdk-7-jdk icedtea-7-plugin
- apt-get install lib32stdc++6
- android update sdk –no-ui
- android
- aptget install adb
- https://ibotpeaches.github.io/Apktool/install/
- http://jd.benow.ca/
- http://www.telerik.com/docs/default-source/fiddler/fiddler-linux.zip?sfvrsn=2
- http://www.telerik.com/blogs/fiddler-for-linux-beta-is-here
- https://itfellover.com/fiddler-4-linux-mono-install-configuration-and-testing/
Install nexpose -https://community.rapid7.com/community/nexpose/blog/2014/06/11/kali-for-ya
install metasploit –
Install Nesus Home – https://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code
- dpkg -i
- /etc/init.d/nessusd start
- iceweasel https://8834
Ming C Complier
- apt-get install minwg32
Hyberion encryption bypass antivirus
- wget
- unzip
VEIL-EVASION
ETERCAP
- enable root
- nano /etc/ettercap/etter.conf
- ecu_uid = 0
- ec_gid = 0
Install BurpSuit
Install ExploitPack – http://exploitpack.com/download.html
Install OpenVAS https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/
Install Visual Trace Route – https://www.thefanclub.co.za/how-to/how-install-open-visual-traceroute-ubuntu
Arpscanning – https://www.blackmoreops.com/2015/12/31/use-arp-scan-to-find-hidden-devices-in-your-network/
HPING3 – https://www.blackmoreops.com/2015/04/21/denial-of-service-attack-dos-using-hping3-with-spoofed-ip-in-kali-linux/
DDOS – https://www.blackmoreops.com/2015/10/21/free-dos-attack-tools/
DDOS Tools – http://null-byte.wonderhowto.com/how-to/hack-like-pro-denial-service-dos-tools-techniques-0165699/
DDOS Tools – http://picateshackz.com/2016/02/ddos-attack-using-goldeneye-in-kali-sana.html
https://pentest-tools.com/information-gathering/google-hacking
http://www.isaca.org/chapters3/Atlanta/AboutOurChapter/Documents/GW2015/081115-10AM-Pentesting.pdf
https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
Install HTTPRINT – http://www.net-square.com/httprint.html
Install Vulnreport – http://vulnreport.io/documentation#interfaces
Install cobaltstrike.com
Install DRADIS – https://dradisframework.com/ce/
Firefox Tools
- Install Firefox Develop Editions
- Install Firefox Hackbar
- Install Fidler
- TamperData
- https://addons.mozilla.org/en-US/firefox/collections/adammuntner/webappsec/
Install IDA and
- IDA – https://www.hex-rays.com/products/ida/support/download_freeware.shtml
- https://github.com/radare/radare2
- https://wordpress.com/post/virtualizationandstorage.wordpress.com/6219
Install BruteForce Password cracking via Tor
- https://github.com/realgam3/pymultitor
Python Scripts
- easy_install pyPdf python-nmap pygeoip mechanize BeautifulSoup4
- apt-get install python-bluez bluetooth python-obexftp
- https://github.com/leebaird/discover
Password lists
- kali > cewl -w customwordlist.txt -d 5 -m 7 www.sans.org
- https://github.com/danielmiessler/SecLists
- https://weakpass.com/
- https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/
Install Google Rapid Response – https://github.com/google/grr
Install OSINT Framework Spiderfoot – http://www.spiderfoot.net/gallery/
Install GitRob – https://github.com/michenriksen/gitrob
Install Git scanners – https://www.linkedin.com/pulse/uber-fail-creds-code-stu-hirst/?trackingId=pv7fAjJi2JjdMFaxvZQnbg%3D%3D
Install FIR – https://github.com/certsocietegenerale/FIR
Install FAME – https://certsocietegenerale.github.io/fame/
Install Wapiti – http://wapiti.sourceforge.net/
Install LazyScript – https://github.com/arismelachroinos/lscript
Install CloudFlare script – https://github.com/christophetd/CloudFlair
Install DFIR Tools – https://www.dfir.training/tools/new
Install – https://www.shellterproject.com/introducing-shellter/#
Install PenTest Toos – https://infosecninja.blogspot.com/p/pentest-tools-archive.html
Install Arachni – https://www.arachni-scanner.com/
Install XSR or PSR for Screenshot documentation
Install Netitude – https://labs.nettitude.com/tools/
Install Rebel Framework – https://kalilinuxtutorials.com/rebel-framework-penetration-testing-framework/
https://datasploit.readthedocs.io/en/latest/
Etherrcap – https://www.ettercap-project.org/
– https://github.com/nonnymoose/xsr
Install – https://subgraph.com/vega/
Goscan – https://medium.com/@iics/automate-your-initial-phase-of-pentesting-a0eb3f3c5742
EZ tools – https://digital-forensics.sans.org/community/downloads/digital-forensics-tools?utm_medium=Email&utm_source=HL&utm_content=SANS+Free+Resources+EZTools&utm_campaign=SANS+Resources
Install Appol – https://github.com/mac4n6/APOLLO
Install WebSpoilt – https://websploit.org/websploit_kali.sh
OSINT Tools – https://gbhackers.com/sn1per-a-detailed-explanation-of-most-advanced-automated-information-gathering-penetration-testing-tool/
Install SIFT tools
Frameworks
- GoPhish
  - https://getgophish.com/
- Powershell Empire
  - https://github.com/BC-SECURITY/Starkiller
- https://powerzure.readthedocs.io/en/latest/index.html
- Install Optiva-Framework
- https://github.com/joker25000/Optiva-Framework
- Install SPARTA
  - https://gbhackers.com/sparta-network-penetration-testing-gui-toolkit/
- Install WFI Wifi
  - https://github.com/entynetproject/ehtools
- Zphisher
  - https://github.com/htr-tech/zphisher
- Install Axiom – https://github.com/mikeiacovacci/axiom-framework
- DNS Steal
  - https://github.com/m57/dnsteal
- Spray Cat
  - https://github.com/aas-n/spraykatz
- Yuki Chan
  - https://github.com/Yukinoshita47/Yuki-Chan-The-Auto-Pentest
- Jok3r
  - https://www.jok3r-framework.com/
  - https://github.com/yogeshojha/rengine
- AutoRDPwn
  - https://github.com/JoelGMSec/AutoRDPwn
- DeepSea
  - https://github.com/dsnezhkov/deepsea
Install https://socrange.com/csilinux/
Google Scanner
- https://github.com/google/tsunami-security-scanner

Install Animated GIF Peek

sudo add-apt-repository ppa:peek-developers/stable
sudo apt update
sudo apt install peek

```
sudo apt-get install byzanz
```

byzanz-record --duration=15 --x=200 --y=300 --width=700 --height=400 out.gif

Cloud Security Tools and Labs

Offensive Terraform – https://offensive-terraform.github.io/offensive-terraform.github.io/
CapitalOne – SRE exploits
https://rzepsky.medium.com/playing-with-cloudgoat-part-1-hacking-aws-ec2-service-for-privilege-escalation-4c42cc83f9da
https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
https://medium.com/securing/data-leaks-from-aws-ec2-how-can-bob-reveal-alices-secrets-bd6fbe389966
FOR509: Cloud Forensics and Incident Response : US$7,020.00 USD
SEC588: Cloud Penetration Testing : US$7,020.00 USD
https://aws.amazon.com/mp/scenarios/security/forensics/
Find articats in Github
Eyewitness
Open Database
https://www.sans.org/reading-room/whitepapers/forensics/paper/39230
https://medium.com/@cloudyforensics/how-to-perform-aws-cloud-forensics-309a03a77aee
https://cyberforensicator.com/2018/03/28/how-to-perform-aws-cloud-forensics/
https://anz-resources.awscloud.com/aws-summit-sydney-2019-secure/automated-forensics-and-incident-response-on-aws-3
postman
privileged and escalations with PACU
https://www.youtube.com/watch?v=lOhvIooWzOg
https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
https://learning.oreilly.com/library/view/hands-on-aws-penetration/9781789136722/87f050c7-3ad7-4f09-a156-4a0f80182b4c.xhtml
https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
https://subscription.packtpub.com/book/virtualization_and_cloud/9781789136722/19/ch19lvl1sec122/privilege-escalation
https://rzepsky.medium.com/playing-with-cloudgoat-part-5-hacking-aws-with-pacu-6abe1cf5780d
https://www.praetorian.com/blog/privilege-escalation-in-aws-with-passrole-attacks
Pacu is an open source AWS exploitation toolkit written by Rhino Security Labs. It was built to aid penetration testers in attacking AWS environments; so, now we will quickly install and set up Pacu to automate these attacks that we have been trying.
https://www.youtube.com/watch?v=lOhvIooWzOg

Staying anonymous

proxychain use socks5 only
update dns to opendns and in nertherlands
Disable webrtc
Use OpenVPN
use duckduckgo.com for searching
spoof mac address
https://aws-ir.readthedocs.io/en/latest/