CREST Bootcamp – (CPSA/CRT) Exam Prep

Course Objective
In this 5 Days Workshop, you will achieve the following:
Review the key aspect of the following areas:
• Hands-on journey into the hacking mind-set, examining and practically applying the tools and techniques that an external threat may use to launch “Infrastructure” attacks on your organization
• Designed to give you the skills you needed to undertake an application penetration test in order to ensure valuable data and assets are effectively protected.

What You’ll Learn:
• Learn a series of attack methodologies and gain practical experience using a range of tools to undertake an infrastructure penetration test across a multi-OS environment
• Able to identify and exploit vulnerabilities in a safe manner, you will be introduced to a range of defensive countermeasures, allowing you to protect your network and respond to cyber threats
• A number of methodologies for undertaking a web application penetration test
• How to exploit vulnerabilities to access data and functionality
• A range of defensive countermeasures as well as sufficient knowledge as to how to counter these attacks

Day 1
Introduction
• Review of Security Concepts Networking Refresher
• Review TCP/IP Subnetting
• Sniffing Traffic Information Gathering
• Methodology
• Sources of Information Gathering
• Information Gathering – wget, metadata, pdfinfo and extract
• b. DNS – dig, zone transfers,
• DNSenum and Fierce Linux/UNIX File System

Target Scanning
• Host Discovery – Nmap and Netdiscover
• b. Port Scanning with Nmap – Connect, SYN and UDP scans, OS detection
• c. Banner Grabbing – Amap, Netcat, Nmap, Nmap scripts (NSE)

Day 2
Vulnerability Assessment
• Vulnerability Management Lifecycle • Vulnerability Management
• Nikto
• Nessus

Attacking Windows
• Windows Enumeration – (SNMP, IPC$)
• Enum4linux
• RID Cycling – Enum4linux, Cain
• Metasploit
• Client-side Exploits – Internet Explorer, Metasploit Auxiliary Modules
• Privilege Escalation – Keylogging,
• Service Configuration
• Password Cracking – John The Ripper, Cain, Rainbow tables
• Brute-Force Password Attacks
• Attacks on Cached Domain
• Credentials
• Token Stealing – PsExec,
• Incognito, local admin to domain admin
• Pass the Hash

Day 3
Attacking Linux
• Linux User Enumeration
• Overview of Database Services
• Linux Exploitation without Metasploit
• Online Password Cracking –Medusa
• User Defined Functions
• ARP Poisoning Man in the Middle – clear-text protocols, secured
• Protocols
• Review Files System Permissions
• Exploit sudo and SUID misconfigurations
• Exploiting sudo through File Permissions
• Exploiting SUID and Flawed Scripts – logic errors
• Further Shell Script Flaw – Command injection, path exploits
• Privilege Escalation via NFS
• Cracking Linux Passwords
• Password attacks
• Exploit poorly written scripts
• Further NFS hacks
• Standard streams

Pivoting the Connection
• Automated tools at their best
• Accessing targets not exposed to our network
• Pivoting using Metasploit
• Using Proxychains
• Pivoting; the manual way
Retaining Access
• Retain access to compromised systems • Common malware strategies
• Techniques for bypassing anti-virus
Covering Tracks
• Alternative Data Streams
• Dark Comet

Day 4
Web Application Audit Overview
• Web application Threat
• Web Refresher
• Proxies
• The OWASP Top Ten
• Web application security auditing
• Tools and their limitations
• HTTP request and response modification
• Logic flaws
Ai-Injections -SQLi/XSS • Types
• Databases overview – data storage, SQL
• Exploiting SQL injection – e.g. data theft, authentication
• Exploiting Blind SQL injection
• Exploiting stored procedures and Bypass
• Exploiting leaked information through errors
• Exploiting Server-Side
• Template Injection (SSTI)
• Exploiting Server-Side
• Request Forgery (SSRF)
• Exploiting Application
• Programming Interface (API)

Day 5
Broken Authentication
• Attacking authentication pages
• Exploiting predictable requests
• Session management – cookies
Sensitive Data Exposure
• Identifying sensitive data
• Secure storage methods
XML External Entities (XXE)
• Identifying XXE
• Scenarios
Broken Access Control
• Insecure Direct Object Reference
• Direct vs indirect object references
• Cross-site Request Forgery (CSRF)
• Missing Function Level Access Control
• Unvalidated Redirects and Forwards
Security Misconfiguration
• Identifying misconfiguration • Scenarios
Cross-site Scripting (XSS)
• JavaScript
• Email spoofing
• Phishing
• Reflected and Persistent XSS
• Cookies, sessions and session hijacking
Insecure Deserialization
• Identifying insecure object
• Scenarios
Using Components with Known Vulnerabilities
• Identifying well know vulnerabilities with components
• Scenarios
Insufficient Logging & Monitoring
• Scenarios
Additional Web Auditing Tool and Conclusions
• Scenarios