Beruflich Dokumente
Kultur Dokumente
PENETRATION TESTING
COURSEWARE SAMPLE
WWW.VIRTUALHACKINGLABS.COM
INTRODUCTION
ABOUT US
The Virtual Hacking Labs is an InfoSec e-learning company focusing on practical penetration testing
training solutions. We believe that the most effective and efficient learning approach is to combine
practical scenario based training with easy to understand courseware. To fulfil this learning experience
we have created a full virtual penetration testing environment called: The Virtual Hacking Labs.
Our mission is to create the best Virtual Hacking Labs that are vulnerable to Remote Code Execution, SQL
and training materials at an affordable rate for as injection, Local File Inclusion, Remote File inclusion
much (aspiring) information security professionals and many more vulnerabilities. After getting an initial
as possible. The Virtual Hacking Labs want to provide command line shell on an exploited target, you will
continuously updated labs and courseware that can have the opportunity to practice privilege escalation
be used to maintain knowledge and skill levels that techniques that are used to upgrade the current shell
are expected from IT security professionals. We also with administrator priviliges.
want to make practical training available for anyone
aspiring a job as ethical hacker or penetration tester. LAB ACCESS
For this reason our courseware starts from the basics Access to the Virtual Hacking Labs is provided through
and gradually increases difficulty by covering more a VPN client which connects you to the network as if it
advanced subjects. is a real company network. We provide several popular
pre-configured penetration testing distributions such
as Kali Linux and Parrot Security OS. Installing the
penetration testing distribution of your choice is very
easy and usually consists of a few clicks.
VULNERABLE HOSTS
In the labs you will learn how to compromise both
Windows and Linux hosts running webservers, mail
servers, development tools and many more services
and protocols. You will also encounter network devices
PENETRATION TESTING LAB like virtual firewalls, routers and NAS systems commonly
The Virtual Hacking Labs is a penetration testing lab used in both personal and enterprise settings. Every
accompanied with extensive courseware covering the system is configured to contribute to a specific learning
most important subjects in the field of penetration experience using one or more attack vectors.
testing. The Virtual Hacking Labs contain many real
world scenarios that allow you to learn and practice
penetration testing in a safe environment. Many of
these scenarios can be found at a lot of company IT
environments and contain devices such as: Domain
Controllers, Firewalls, Linux and Windows servers,
NAS, Android devices and of course Windows and
Linux clients. All devices and machines in the labs are
configured to be intentionally vulnerable and can be
exploited in one or more ways.
RESET PANEL
The Virtual Hacking Labs reset panel can be used to
reset hosts in the lab network back to their original state.
Resetting a host is particularly useful when a host is left
in a state where it is not vulnerable anymore. Resetting
the host will give you a fresh start on the machine.
Every student is allowed to reset hosts in the lab every
15 minutes through the reset panel. This guarantees
an effective learning experience as designed without
delays.
The hints are not direct solutions for the lab machines
STUDENT PANEL but they contain enough information to push you in
All students have access to a dedicated student panel the right direction. To keep the Virtual Hacking Labs
that can be used to track your course and lab progress. challenging for everyone we only provide hints for the
This panel also provides information about the lab Beginner and Advanced machines. The Advanced+
machines, including hints for anyone that’s stuck at hosts are the final challenge and are excluded from
a specific box. This way you can choose what your hints.
learning path will look like.
CERTIFICATE OF COMPLETION After submitting the documentation we will manually
For those who managed to get root/administrator verify the information and check the authenticity of the
access on at least 20 lab machines can request a screenshots. Be sure to include your student ID and full
certificate of completion. This trophy consists of a PDF name to display on the Certificate of Completion in the
certificate with your name and a set of badges to use documentation. Also use the e-mail address you have
for social media such as LinkedIn. The VHL Certificate signed up with to the Virtual Hacking Labs. When the
of Completion is included at no additional cost with a supplied documentation and screenshots have been
month pass and greater. approved we will send the Certificate of Completion as
soon as possible.
To be eligible for the VHL Certificate of Completion you
need to: Completing the penetration testing course
1. Get root/administrator access on at least 20 lab may qualify you for 40 (ISC)² CPE and EC Council
machines. credit hours. The Certificate of Completion can
2. Supply documentation of the exploited vulnerabilities. be used as proof for completing the course.
3. Supply screenshots proving that you rooted the lab
machines.
4. Supply the contents of key.txt files from the rooted PRICING
lab machines. Access passes includes all access to our labs, online
courseware, courseware e-book and a certificate of
The documentation should at least contain information completion. Except for the week pass which does not
about the exploited vulnerabilities, such as the CVE include the certificate and the e-book version of the
ID’s, used exploits and screenshots of the exploitation courseware.
process. The screenshots should contain at least the
following information: Lab machine IP, your IP and the 1 week access $49 €46
used commands (command line, URL’s, requests etc.). 1 month access $99 €93
For privilege escalation also include screenshots with
3 month access $249 €233
the output of the id/whoami/getuid command before
and after executing the exploit. 6 month access $449 €419
1 year access $749 €699
COURSE TABLE OF CONTENTS
Passive information gathering is the process of collecting information about a specific target from publicly
available sources that can be accessed by anyone. They include search engine data, social media, online
databases and even the company website. This kind of information gathering is all about ‘getting to know
your target’ and is usually performed before starting the actual penetration test because it may yield
valuable information for later use. Intentionally or unintentionally, many companies leak information
that can be picked up by hackers without ever touching the company servers. Some of this information
can be important and, when combined with other data, may become a serious security threat. Think of
how employee names can be combined with company naming conventions to generate real and useable
account names. This kind of data can be used to perform more effective password attacks for hackers to
gain an initial beachhead on the company network.
In the previous chapter we used Exploit-db and Searchsploit to verify that there are exploits are for the
vulnerabilities that we had previously discovered. Now we will look at what you need to do to download,
modify and execute those exploits. In particular there are a couple of steps required to ensure an exploit
is executed safely and to prevent it from doing anything unexpected..
Many of the exploits available on Exploit-db are written the code is executed by an interpreter. An interpreter is
in Python, Perl, Ruby or Bash and can be downloaded a program that directly executes instructions written in
directly to the attack box. Once the scripts have a scripting language. For example, Python code needs
been downloaded we need to analyse the exploit to be executed by a Python interpreter and to execute
code carefully to confirm that it exactly does what it Perl code you would need to use a Perl interpreter.
advertises. Failure to take proper precautions could There are also exploits written in programming
open backdoors on the attack machine, wipe an entire languages that need to be compiled before they can be
hard drive on the target machine or even add the executed. Compilation is the process of translating one
machine to a botnet. programming language into another where the output
is an executable program. Privilege escalation exploits
Once we’re sure that we’re dealing with an authentic for Linux and Windows are often written in such
exploit we will often need to make some modifications languages. In this chapter we will learn how to compile
to adapt the exploit to our target. Many exploits are exploits for both platforms.
written as proofs of concept (POCs) which means that
the exploit only proves that the attack can be done Now that we have a better understanding of the
without causing harm (i.e. a harmless payload is used). exploitation phase and what we have to do before
By way of example, a proof of concept exploit that we can successfully run exploits, let’s walk through
exploits a remote code execution vulnerability might the process of downloading, analyzing, modifying and
be designed to just execute the ifconfig command and compiling some exploits.
to display the output on a webpage thereby ‘proving
the concept’ that remote code execution is possible DOWNLOADING EXPLOITS
without causing harm. However, such a result is pretty Before we can start to modify an exploit we first need
useless if you actually want to gain a shell on the to download it to the attack machine (transferring
host and therefore we need to modify the payload. exploits to target hosts will be covered in a separate
Modifying such an exploit for practical use will require chapter since this involves very different techniques
replacing the ifconfig command with a reverse or bind and sometime different tools too). The easiest methods
shell command. Other modifications can include simply for obtaining exploits is by:
adding a target host, port or other variable, replacing
the bind/reverse shellcode or modifying offsets in • Downloading them from Exploit-db via a browser;
buffer overflow exploits. • Using a command line tool like wget; or,
• Copying the exploit code from Searchsploit
Another reason to carefully examine the exploit code
is that it often contains usage instructions in comment On the Exploit-DB website simply press the download
blocks or they may be obvious from the code itself. button to download the selected exploit to your
To work properly most scripts require a few (static) machine:
variables in the code or values that are passed as
arguments (a value passed to a function or script, such
as the IP address or a port) to be inserted. Usually they
will be specific to the target such as an IP address, a port
and sometimes credentials to access an administration
panel for example. By analysing the code of the exploit, You can also use wget to download the exploit from the
we can find out which arguments are needed and command line:
how they are processed in the script. Many exploits wget [URL to exploit download] -O 35513.py
are programmed to print out usage instructions to
the terminal when invalid arguments are passed (or Or we can copy the exploit from the searchsploit
no arguments at all), but remember that we’re not database:
executing anything at this moment and we want to
retrieve information from static analysis. We are merely
investigating how to use the script before its execution.