VIRTUAL HACKING LABS

PENETRATION TESTING
COURSEWARE SAMPLE

WWW.VIRTUALHACKINGLABS.COM
INTRODUCTION

ABOUT US
The Virtual Hacking Labs is an InfoSec e-learning company focusing on practical penetration testing
training solutions. We believe that the most effective and efficient learning approach is to combine
practical scenario based training with easy to understand courseware. To fulfil this learning experience
we have created a full virtual penetration testing environment called: The Virtual Hacking Labs.

Our mission is to create the best Virtual Hacking Labs
and training materials at an affordable rate for as
much (aspiring) information security professionals
as possible. The Virtual Hacking Labs want to provide
continuously updated labs and courseware that can
be used to maintain knowledge and skill levels that
are expected from IT security professionals. We also
want to make practical training available for anyone
aspiring a job as ethical hacker or penetration tester.
For this reason our courseware starts from the basics
and gradually increases difficulty by covering more
advanced subjects.
that are vulnerable to Remote Code Execution, SQL
injection, Local File Inclusion, Remote File inclusion
and many more vulnerabilities. After getting an initial
command line shell on an exploited target, you will
have the opportunity to practice privilege escalation
techniques that are used to upgrade the current shell
with administrator priviliges.
LAB ACCESS
Access to the Virtual Hacking Labs is provided through
a VPN client which connects you to the network as if it
is a real company network. We provide several popular
pre-configured penetration testing distributions such
as Kali Linux and Parrot Security OS. Installing the
penetration testing distribution of your choice is very
easy and usually consists of a few clicks.

VULNERABLE HOSTS
In the labs you will learn how to compromise both
Windows and Linux hosts running webservers, mail
servers, development tools and many more services
and protocols. You will also encounter network devices
PENETRATION TESTING LAB like virtual firewalls, routers and NAS systems commonly
The Virtual Hacking Labs is a penetration testing lab used in both personal and enterprise settings. Every
accompanied with extensive courseware covering the system is configured to contribute to a specific learning
most important subjects in the field of penetration experience using one or more attack vectors.
testing. The Virtual Hacking Labs contain many real
world scenarios that allow you to learn and practice
penetration testing in a safe environment. Many of
these scenarios can be found at a lot of company IT
environments and contain devices such as: Domain
Controllers, Firewalls, Linux and Windows servers,
NAS, Android devices and of course Windows and
Linux clients. All devices and machines in the labs are
configured to be intentionally vulnerable and can be
exploited in one or more ways.

The courseware that is included with every access

pass covers all phases of penetration testing, from
enumeration to exploitation. By enumerating the lab
machines you will learn how to gather information that
can be used for vulnerability assessments and finally to We are keeping the labs up-to-date with new machines
exploit the machines. In the labs you will learn how to and recently discovered vulnerabilities with high impact
enumerate and exploit protocols such has FTP, SNMP & on a monthly basis. This is how we want to keep your
SMB. You will also learn how to exploit web applications knowledge and experience up-to-date.
 Do you prefer a full black box approach and root all
TRAINING MATERIALS machines on your own or do you prefer a balance
Along with the lab access we provide all the written between theoretical and practical part of the course
courseware and documentation that is needed to learn with some help along the way?
penetration testing and be successful in the labs. We are
keeping the training material up-to-date continuously
to make sure you will learn the latest insights and
techniques in the field of ethical hacking.

The courseware is written in a way that is easily

understandable for anyone new in the field of
penetration testing. We start with the very basics of
penetration testing and gradually increase the difficulty
by covering more advanced subjects.

RESET PANEL
The Virtual Hacking Labs reset panel can be used to
reset hosts in the lab network back to their original state.
Resetting a host is particularly useful when a host is left
in a state where it is not vulnerable anymore. Resetting
the host will give you a fresh start on the machine.
Every student is allowed to reset hosts in the lab every
15 minutes through the reset panel. This guarantees
an effective learning experience as designed without
delays.
The hints are not direct solutions for the lab machines
STUDENT PANEL but they contain enough information to push you in
All students have access to a dedicated student panel the right direction. To keep the Virtual Hacking Labs
that can be used to track your course and lab progress. challenging for everyone we only provide hints for the
This panel also provides information about the lab Beginner and Advanced machines. The Advanced+
machines, including hints for anyone that’s stuck at hosts are the final challenge and are excluded from
a specific box. This way you can choose what your hints.
learning path will look like.
CERTIFICATE OF COMPLETION
For those who managed to get root/administrator
access on at least 20 lab machines can request a
certificate of completion. This trophy consists of a PDF
certificate with your name and a set of badges to use
for social media such as LinkedIn. The VHL Certificate
of Completion is included at no additional cost with a
month pass and greater.
To be eligible for the VHL Certificate of Completion you
need to:
1. Get root/administrator access on at least 20 lab
machines.
2. Supply documentation of the exploited vulnerabilities.
3. Supply screenshots proving that you rooted the lab
machines.
4. Supply the contents of key.txt files from the rooted
lab machines.
The documentation should at least contain information
about the exploited vulnerabilities, such as the CVE
ID’s, used exploits and screenshots of the exploitation
process. The screenshots should contain at least the
following information: Lab machine IP, your IP and the
used commands (command line, URL’s, requests etc.).
For privilege escalation also include screenshots with
the output of the id/whoami/getuid command before
and after executing the exploit.
After submitting the documentation we will manually
verify the information and check the authenticity of the
screenshots. Be sure to include your student ID and full
name to display on the Certificate of Completion in the
documentation. Also use the e-mail address you have
signed up with to the Virtual Hacking Labs. When the
supplied documentation and screenshots have been
approved we will send the Certificate of Completion as
soon as possible.
Completing the penetration testing course
may qualify you for 40 (ISC)² CPE and EC Council
credit hours. The Certificate of Completion can
be used as proof for completing the course.
PRICING
Access passes includes all access to our labs, online
courseware, courseware e-book and a certificate of
completion. Except for the week pass which does not
include the certificate and the e-book version of the
courseware.
1 week access $49 €46
1 month access $99 €93
3 month access $249 €233
6 month access $449 €419
1 year access $749 €699
 COURSE TABLE OF CONTENTS

1. PENETRATION TESTING BASICS 6. PRIVILEGE ESCALATION

1. Intro 1. Intro
2. About Penetration testing 2. Privilege escalation on Linux
3. The Penetration process explained 3. Privilege escalation on Windows
4. Jobs and professional opportunities
7. WEB APPLICATIONS
2. ACCESSING THE LABS 1. Intro
1. Intro 2. Local and Remote File Inclusion (LFI/RFI)
2. Installing Kali Linux 3. Remote Code Execution
3. VPN Access 4. Remote Command Execution
4. Reset panel 5. SQL Injection Basics
5. Rules & Restrictions 6. Web shells
6. Legal 7. File Upload Vulnerabilities
7. Certificate of Completion 8. Cross-Site Scripting (XSS)
8. Where to start from here?
8. PASSWORD ATTACKS
3. INFORMATION GATHERING 1. Intro
1. Intro 2. Generating password lists
2. Passive information gathering 3. Windows passwords and hashes
3. Active information gathering 4. Cracking hashes with John
5. Web application passwords
4. VULNERABILITY ASSESSMENT
1. Intro 9. NETWORKING & SHELLS
2. Metasploitable 2 enumeration information & Vul- 1. Intro
nerabilities 2. Netcat shells
3. Vulnerability & Exploit databases 3. Upgrading a Netcat shell to Meterpreter
4. Nmap scripts
5. OpenVAS automated vulnerability scanning 10. METASPLOIT
1. Intro
5. EXPLOITATION 2. Basic Commands
1. Intro 3. Exploit Commands
2. How to work with exploits and where to find them 4. Meterpreter Basics
3. Compiling Linux kernel exploits
4. Compiling Windows exploits on Linux
5. Transferring exploits
6. Exploiting vulnerabilities in practice
3.2 PASSIVE INFORMATION GATHERING

Passive information gathering is the process of collecting information about a specific target from publicly
available sources that can be accessed by anyone. They include search engine data, social media, online
databases and even the company website. This kind of information gathering is all about ‘getting to know
your target’ and is usually performed before starting the actual penetration test because it may yield
valuable information for later use. Intentionally or unintentionally, many companies leak information
that can be picked up by hackers without ever touching the company servers. Some of this information
can be important and, when combined with other data, may become a serious security threat. Think of
how employee names can be combined with company naming conventions to generate real and useable
account names. This kind of data can be used to perform more effective password attacks for hackers to
gain an initial beachhead on the company network.

Passive information gathering activities should be DNS ENUMERATION

focused on identifying IP addresses, (sub)domains,
finding external partners and services, the types of
technologies used and any other useful information
(including the names of employees working at the
company, e-mail addresses, websites, customers,
naming conventions, E-mail & VPN systems and
sometimes even passwords).
There are numerous sources that can be used for
passive enumeration including:
• Google, Bing, Yahoo, Shodan, Netcraft and other
search engines
• Social media such as LinkedIn, Twitter, Facebook &
Instagram
• Company websites
• Press releases
• Discussion forums
• Whois databases
• Data breaches
SEMI PASSIVE INFORMATION
GATHERING
Earlier we mentioned that passive information
gathering techniques do not touch company servers
meaning that no record of your activity will appear on
systems logs owned or managed by the company. When
passive information gathering methods do connect to
(company) servers to obtain intelligent by behaviours
and activities that appear normal, we are talking about
semi-passive information gathering. An example would,
for instance, be visiting the target’s company website
to collect information about staff or technology that
is in use by the target. During this visit the pentester
mimics the behaviour of a regular visitor and only clicks
visible links, access public locations and behave like
any regular visitor would do without drawing attention.
In such a case any intrusion detection system (IDS) or
systems technician will be unable to distinguish the
pentester’s traffic from other regular traffic and the
activity will pass unnoticed.
In the following sections we’ll look at some techniques
and tools that can aid in the process of passive
information gathering, starting with DNS enumeration.
DNS enumeration is the process of identifying the
DNS servers and the corresponding DNS records.
DNS stands for Domain Name System which is a
database containing information about domain
names and their corresponding IP addresses. The DNS
system is responsible for translating human-readable
hostnames into machine-readable IP addresses.
The most important records to look for in DNS
enumeration are the:
• A (address) records containing the IP address of
the domain.
• MX records, which stands for Mail Exchange,
contain the mail exchange servers.
• CNAME records used for aliasing domains.
CNAME stands for Canonical Name and links any
sub-domains with existing domain DNS records.
• NS records, which stands for Name Server,
indicates the authoritative (or main) name server
for the domain.
• SOA records, which stands for State of Authority,
contain important information about the domain
such as the primary name server, a timestamp
showing when the domain was last updated and
the party responsible for the domain.
• PTR or Pointer Records map an IPv4 address to
the CNAME on the host. This record is also called a
‘reverse record’ because it connects a record with
an IP address to a hostname instead of the other
way around.
• TXT records contain text inserted by the
administrator (such as notes about the way the
network has been configured).
The information retrieved during DNS enumeration will
consist of details about names servers and IP addresses
of potential targets (such as mail servers, sub-domains etc).
Some tools used for DNS enumeration included with
Kali Linux are: whois, nslookup, dig, host and automated
tools like Fierce, DNSenum and DNSrecon. Let’s briefly
review these tools and see how we can use them for
DNS enumeration.
To read further, please purchase an access pass on our
website www.virtualhackinglabs.com
5.2 HOW TO WORK WITH EXPLOITS
In the previous chapter we used Exploit-db and Searchsploit to verify that there are exploits are for the
vulnerabilities that we had previously discovered. Now we will look at what you need to do to download,
modify and execute those exploits. In particular there are a couple of steps required to ensure an exploit
is executed safely and to prevent it from doing anything unexpected..
Many of the exploits available on Exploit-db are written
in Python, Perl, Ruby or Bash and can be downloaded
directly to the attack box. Once the scripts have
been downloaded we need to analyse the exploit
code carefully to confirm that it exactly does what it
advertises. Failure to take proper precautions could
open backdoors on the attack machine, wipe an entire
hard drive on the target machine or even add the
machine to a botnet.
Once we’re sure that we’re dealing with an authentic
exploit we will often need to make some modifications
to adapt the exploit to our target. Many exploits are
written as proofs of concept (POCs) which means that
the exploit only proves that the attack can be done
without causing harm (i.e. a harmless payload is used).
By way of example, a proof of concept exploit that
exploits a remote code execution vulnerability might
be designed to just execute the ifconfig command and
to display the output on a webpage thereby ‘proving
the concept’ that remote code execution is possible
without causing harm. However, such a result is pretty
useless if you actually want to gain a shell on the
host and therefore we need to modify the payload.
Modifying such an exploit for practical use will require
replacing the ifconfig command with a reverse or bind
shell command. Other modifications can include simply
adding a target host, port or other variable, replacing
the bind/reverse shellcode or modifying offsets in
buffer overflow exploits.
Another reason to carefully examine the exploit code
is that it often contains usage instructions in comment
blocks or they may be obvious from the code itself.
To work properly most scripts require a few (static)
variables in the code or values that are passed as
arguments (a value passed to a function or script, such
as the IP address or a port) to be inserted. Usually they
will be specific to the target such as an IP address, a port
and sometimes credentials to access an administration
panel for example. By analysing the code of the exploit,
we can find out which arguments are needed and
how they are processed in the script. Many exploits
are programmed to print out usage instructions to
the terminal when invalid arguments are passed (or
no arguments at all), but remember that we’re not
executing anything at this moment and we want to
retrieve information from static analysis. We are merely
investigating how to use the script before its execution.
So far we’ve talked about exploits written in scripting
languages, such as Python and Perl. These scripting
languages are interpreted scripting languages where
the code is executed by an interpreter. An interpreter is
a program that directly executes instructions written in
a scripting language. For example, Python code needs
to be executed by a Python interpreter and to execute
Perl code you would need to use a Perl interpreter.
There are also exploits written in programming
languages that need to be compiled before they can be
executed. Compilation is the process of translating one
programming language into another where the output
is an executable program. Privilege escalation exploits
for Linux and Windows are often written in such
languages. In this chapter we will learn how to compile
exploits for both platforms.
Now that we have a better understanding of the
exploitation phase and what we have to do before
we can successfully run exploits, let’s walk through
the process of downloading, analyzing, modifying and
compiling some exploits.
DOWNLOADING EXPLOITS
Before we can start to modify an exploit we first need
to download it to the attack machine (transferring
exploits to target hosts will be covered in a separate
chapter since this involves very different techniques
and sometime different tools too). The easiest methods
for obtaining exploits is by:
• Downloading them from Exploit-db via a browser;
• Using a command line tool like wget; or,
• Copying the exploit code from Searchsploit
On the Exploit-DB website simply press the download
button to download the selected exploit to your
machine:
You can also use wget to download the exploit from the
command line:
wget [URL to exploit download] -O 35513.py
Or we can copy the exploit from the searchsploit
database:
To read further, please purchase an access pass on our
website www.virtualhackinglabs.com
WWW.VIRTUALHACKINGLABS.COM