Academy Module Layout
Penetration Testing Stages:
Pre-Engagement:
The pre-engagement stage is where the main commitments, tasks, scope, limitations, and related agreements are documented in writing.
Path From Here:
Information Gathering: Next, we move towards the Information Gathering stage. Before any target systems can be examined and attacked, we must first identify them.
Modules Required:
Learning Process (Not Included)
Linux Fundamentals (Not Included)
Windows Fundamentals (Not Included)
Introduction to Networking (Not Included)
Introduction to Web Applications (Not Included)
Web Requests (Not Included)
JavaScript Deobfuscation (Not Included)
Introduction to Active Directory (Not Included)
Getting Started
Information Gathering
Information gathering is an essential part of any assessment.
Because information, the knowledge gained from it, the conclusions we draw, and the steps we take are based on the information available.
Time, patience, and personal commitment all play a significant role in information gathering.
Paths from here
Vulnerability Assessment: The next stop on our journey is Vulnerability Assessment, where we use the information found to identify potential weaknesses.
Modules Required:
Network Enumeration with Nmap
Footprinting
Information Gathering - Web Edition
OSINT: Corporate Recon (Not Included)
Vulnerability Assessment
The vulnerability assessment stage is divided into two areas. On the one hand, it is an approach to scan for known vulnerabilities using automated tools. On the other hand, it is analyzing for potential vulnerabilities through the information found.
Paths from here
Exploitation: The first we can jump into is the Exploitation stage. This happens when we do not yet have access to a system or application. Of course, this assumes that we have already identified at least one gap and prepared everything necessary to attempt to exploit it.
Post-Exploitation: The second way leads to the Post-Exploitation stage, where we escalate privileges on the target system. This assumes that we are already on the target system and can interact with it.
Lateral Movement: Our third option is the Lateral Movement stage, where we move from the already exploited system through the network and attack other systems. Again, this assumes that we are already on a target system and can interact with it.
Information Gathering: The last option is returning to the Information Gathering stage when we do not have enough information on hand. Here we can dig deeper to find more information that will give us a more accurate view.
Modules Required:
Vulnerability Assessment
File Transfers
Shells & Payloads
Using the Metasploit-Framework
Exploitation
Exploitation is the attack performed against a system or application based on the potential vulnerability discovered during our information gathering and enumeration.
We use the information from the Information Gathering stage, analyze it in the Vulnerability Assessment stage, and prepare the potential attacks.
Paths from here
Information Gathering: Once we have initial access to the target system, regardless of how high our privileges are at that moment, we need to gather information about the local system.
Post-Exploitation: Post-exploitation is mainly about escalating privileges if we have not yet attained the highest possible rights on the target host.
Lateral Movement: From here, we can also skip directly over to Lateral Movement. This can come under different conditions.
Proof-of-Concept: We can take the last path after gaining the highest privileges by exploiting an internal system. Of course, we do not necessarily have to have taken over all systems.
Modules Required:
General Network Protocols:
Password Attacks
Attacking Common Services
Pivoting, Tunneling & Port Forwarding
Active Directory Enumeration & Attacks
Web Exploitation:
Using Web Proxies
Attacking Web Applications with Ffuf
Login Brute Forcing
SQL Injection Fundamentals
SQLMap Essentials
Cross-Site Scripting (XSS)
File Inclusion
Command Injections
Web Attacks
Attacking Common Applications
Post-Exploitation
In most cases, when we exploit certain services for our purposes to gain access to the system, we usually do not obtain the highest possible privileges.
Because services are typically configured in a certain way "isolated" to stop potential attackers, bypassing these restrictions is the next step we take in this stage.
After we have gained access to a system, we must be able to take further steps from within the system. During a penetration test, customers often want to find out how far an attacker could go in their network.
Paths from here
Information Gathering / Pillaging: Before we can begin escalating privileges, we must first get an overview of the inner workings of the exploited system. After all, we do not know which users are on the system and what options are available to us up to this point. This step is also known as Pillaging. This path is not optional, as with the others, but essential.
Exploitation: Suppose we have found sensitive information about the system and its' contents. In that case, we can use it to exploit local applications or services with higher privileges to execute commands with those privileges.
Lateral Movement: From here, we can also skip directly over to Lateral Movement. This can come under different conditions. If we have achieved the highest privileges on a dual-homed system used to connect two networks, we can likely use this host to start enumerating hosts that were not previously available to us.
Proof-of-Concept: We can take the last path after gaining the highest privileges by exploiting an internal system. Of course, we do not necessarily have to have taken over all systems. However, if we have gained the Domain Admin privileges in an Active Directory environment, we can likely move freely across the entire network and perform any actions we can imagine.
Modules Required:
Linux Privilege Escalation
Windows Privilege Escalation
Lateral Movement
Lateral movement is one of the essential components for moving through a corporate network.
We can use it to overlap with other internal hosts and further escalate our privileges within the current subnet or another part of the network.
Paths from here
Information Gathering / Pillaging: After a successful lateral movement, we can jump into Pillaging once again. This is local information gathering on the target system that we accessed.
Vulnerability Assessment: If the penetration test is not finished yet, we can jump from here to the Vulnerability Assessment stage.
Proof-of-Concept: Once we have made the last possible lateral movement and completed our attack on the corporate network, we can summarize the information and steps we have collected.
Modules Required:
None as all are covered in previous stages.
Proof of Concept (PoC)
The Proof-Of-Concept (POC) is merely proof that a vulnerability found exists.
As soon as the administrators receive our report, they will try to confirm the vulnerabilities found by reproducing them.
When we already have all the information we have collected and have used the vulnerability to our advantage, it does not take much effort to automate the individual steps for this.
Paths from here
Post-Engagement: At this point, we can only go to the post-engagement stage, where we optimize and improve the documentation and send it to the customer after an intensive review.
Modules Required:
Introduction to Python 3
Post-Engagement
The Post-Engagement stage also includes cleaning up the systems we exploit so that none of these systems can be exploited using our tools.
It is essential to remove all content that we have transferred to the systems during our penetration test so that the corporate network is left in the same state as before our penetration test.
When we already have all the information we have collected and have used the vulnerability to our advantage, it does not take much effort to automate the individual steps for this.
Paths from here
None as this is the final stage.
Modules Required:
Documentation & Reporting
Attacking Enterprise Networks
Last updated
