Pen tests are large projects and must be planned for accordingly, or else it's easy for them to get out of scope and become more work than you initially thought. Understand the importance of planning and scoping an engagement using strategy, project management skills, and pen testing resources.

Pen tests are risky at best and can violate security rules or even legislation at worst. Learn how to establish rules of engagement with your client, including understanding who they are, what the target limits are, what the test scope is, and who to communicate with should something go awry during one of your attacks.

Pen tests succeed or fail based on how well the team collaborates and communicates. Discover best practices for peer review, secure handling of sensitive results, and performing root cause analysis to provide lasting value. Learn how Business Impact Analysis and formal client acceptance keep engagements aligned, focused, and trusted from start to finish

Legislative bodies and industry organizations may require certain organizations to comply with requirements to avoid sanctions or carry out business functions. Pen testing is one way to determine if an organization's policies and controls comply with pertinent requirements. Two common compliance requirements that mandate pen tests are PCI DSS and GDPR.

A pen test is more than just a simple test; it's a large-scale engagement. Before you begin, you need to explain to your client what the impact of the tests might be. If they have any constraints, such as not attacking a production server, they should make you aware of them since the result could be catastrophic for the business if it went down during one of your attacks.

Many activities in a pen test are technically against the rules and policies or even illegal. You need to make sure you're covered legally, so you don't get in trouble for doing something during an attack that your client isn't aware of. This video covers the basics of SOWs, MSAs, and NDAs, the differences between environments, nations, cultures, and corporations, and getting written permission to perform the tests, so you don't get into trouble later.

A comprehensive pen test is one that addresses as many aspects of an IT infrastructure as possible and satisfies all of the testing requirement goals. Using industry-accepted pen testing standards, a methodology helps pen testers avoid missing critical areas. Two common pen testing frameworks are the MITRE ATT&CK framework and the OWASP resources.

Several organizations publish standards for pen testing to help pen testers plan exhaustive tests, including NIST standards and frameworks, OSSTMM. PTES, and ISSAF.

Pen testing frameworks and threat models provide structure and clarity for engagements across industries. Explore CREST for professional standards, MASVS for mobile application testing, and the Purdue Model for industrial control systems. Then dive into three powerful threat modeling approaches—DREAD, STRIDE, and OCTAVE—to better assess risk and strengthen your testing strategy

When scoping pen testing activities, planners should consider the environment in which the test will run, including network architecture, applications running, cloud versus on-premises components, off-limits components or segments, and the type of assessment to be performed.

This video walks you through how to create a lab environment where you can practice your pen testing skills. Learn how to set up the virtual machine manager Oracle VirtualBox and install virtual machines within it, including the toolkit of all toolkits, Kali Linux, and two intentionally vulnerable VMs where you can practice attacking a system called Damn Vulnerable Web App (DVWA) and Metasploitable.

A black-box pen tester is someone who knows nothing going into the engagement, and a white-box pen tester is more like a company insider who has a certain amount of knowledge before they begin. Whichever way you plan to play the role, these are some of the considerations you'll need to figure out before you begin your pen testing. Are you whitelisted or blacklisted? Do you know the layers of security controls your client has? How invasive will the test be? Learn the nuances of how to strategize your engagement and prepare the client for the possible risks involved.

It's important to survey the environment and gather all the correct information to determine where any vulnerabilities might lie. By using techniques such as scanning and enumeration, you'll know exactly where the weak points are on a network and how to classify them in order to launch the appropriate attacks.

Now that you know what surveying and enumeration are, it's time to put that knowledge into action. Running Metasploitable on a virtual box, you will learn how to use Nmap, ping sweep scan, ARP Scan, and whois lookup to determine which targets are the easiest to get to.

If you don't get a response from a host after an initial scan, you can use additional tools to find out more information. Learn how to use packet crafting to create specific network packets to gather or carry out attacks. Also, use packet inspection, fingerprinting, cryptography, and eavesdropping to gather information and determine what traffic is being sent.

Many functions of a pen test are only as good as the tools you have available to you. In conjunction with Metasploitable, learn how to use Wireshark, a free and useful application for information gathering and packet inspection, to break down exactly what's happening inside each packet sent through the network.

Labtainers is a self-contained open-source cybersecurity lab environment with dozens of hands-on labs that are easy to access. We will use the labtainers environment for the labs you will explore throughout this course.

The Wireshark labtainers lab introduces students to the process of analyzing network traffic using the freely available Wireshark tool.

Sometimes, to go forward, you must go backward. Understand how you can use code decompiling and debugging to work backward and learn a program's secrets and weaknesses to determine the best way to exploit them. Learn the resources you can use to dig into web application code and how that information can benefit you when planning your attacks.

Prioritizing attack targets is essential for an efficient and impactful penetration test. Learn how to use scoring models like CVSS and EPSS to weigh severity and exploitability, while also considering real-world risk factors such as end-of-life software, default configurations, weak encryption, and exposed services. See how these elements guide preparation and ensure your tests focus on the vulnerabilities that matter most

Before launching any attacks, an effective pen tester learns about the target environment by carrying out reconnaissance on the environment to identify potential weaknesses. Passive reconnaissance describes activities in which the pen tester uses external resources to learn about a potential victim.

Another part of the reconnaissance process is digging into a target's infrastructure to learn more than external resources may yield. Active reconnaissance describes the process of querying a target environment's resources and sending specially crafted network packets to examine any responses. Active reconnaissance is easier for a target to detect but often yields better information that a pen tester can use to devise an effective attack plan.

Enumeration is more than scanning ports—it’s about uncovering hidden details that attackers can exploit. Learn how files like robots.txt and sitemap.xml can expose sensitive paths, and why vulnerable plugins expand the attack surface. Explore two essential tools: Impacket, for protocol-level attacks and credential abuse, and msfvenom, for crafting payloads during exploitation

There is no shortage of known vulnerabilities on any computing device, but how do you match known vulnerabilities with your target's weaknesses? By applying a structured approach, you can find out if specific vulnerabilities exist on a target. Learn about discovery scans, full scans, port scans, stealth scans, and compliance scans.

Now that you know the various methods for testing vulnerabilities see exactly how to use stealth scanning, port scanning, OS fingerprinting, and OpenVas to assess vulnerabilities.

The Network Basics labtainers lab introduces students to basic networking concepts and protocols, including ARP, ping, and TCP/IP.

The Nmap Discovery labtainers lab introduces students to the Nmap utility and how to use Nmap to locate an ssh server on a network and also to discover the port number being used by the service.

There are some very important considerations to take into account when planning an attack. Learn the importance of finding out whether you're attacking a physical machine, virtual machine, or container and what the best analysis tool is to use. Learn how to map targets to business value so you can focus on what vulnerability will hurt the business the worst.

Collecting intelligence about a potential target is only the first step. A pen tester must also be able to analyze the output from reconnaissance activities. Understanding what reconnaissance output contains is a critical part of selecting effective attacks in pen test planning.

As a pentester, the Nmap command will be one of your greatest tools. It is a network mapper with numerous options. Learn how to detect the operating system of a machine, conduct stealthy scans, determine the service and version information, enumerate targets, and output the scan results into several different file formats.

Being fast is normally great, but as a pentester, fast can mean creating a lot of network traffic, unintentionally alerting your target that something is happening. When you need to fly under the radar, use Nmap (along with a helpful cheat sheet) to help you stealthily apply your vulnerability scans, so there's less chance of being detected.

You've ranked your assets, vulnerabilities, and exploits, and now it's time to make a priorities list and leverage that information to plan your penetration tests. Use powerful Nmap scripts to map those vulnerabilities to potential exploits.

There are many pen testing techniques, and often they are used together to successfully attack a target. Learn some of the more common attack techniques such as exploit modification, exploit chaining, social engineering, credential brute-forcing, and enlightened attacks.

Since many pen testing activities are interactive and are repeated multiple times with slight input variations, automating as many of the pen tests as possible increases efficiency and reduces human errors. Explore options to automate any tests that are part of a pen test plan.

This video walks you through the process of a brute force attack. With a list of usernames and passwords, an IP address, and a port number, you will see how the Hydra tool can help you become an authorized user.

The Password Cracking labtainers lab introduces students to password basics and how to carry out elementary password cracking attacks.

The Secure Socket Layers labtainers lab introduces students to the use of SSL to authenticate both sides of a connection, including creating and signing certificates using a CA.

The Routing Basics labtainers lab introduces students to a simple routing example with two LANs and an Internet connection via NAT.

This video covers a high-level overview of the various network-based protocols and their vulnerabilities. These include NETBIOS Name Service (NBNS), LLMNR (Link-Local Multicast Name Resolution), DNS and ARP poisoning, SMB (Server Message Block), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transport Protocol), and FTP (File Transfer Protocol).

Authentication remains a prime target for attackers, even with modern defenses in place. Explore how techniques like MFA fatigue and mask attacks bypass common protections, and learn how flaws in federated identity protocols such as OIDC and SAML can lead to account compromise. Understand how these methods are used in penetration tests to reveal weaknesses before attackers exploit them

In this video, learn how to launch an FTP attack in Kali Linux. You'll start by using the vulscan option in Nmap to identify vulnerabilities within specific ports and IP addresses. Then explore the databases in the Metasploitable Framework to find the specific exploit you'll want to use. Finally, you'll launch the Metasploitable Framework Console, type in a few commands, and let Kali execute the exploit for you as you sit back and watch the pen testing magic happen.

You don't have to be on the client or the server side to exploit a target. Man-in-the-middle attacks put the attacker in between the communication as a proxy to steal the network packets as they're passed back and forth. These include DNS cache poisoning, ARP spoofing, pass the hash, replay, relay, SSL stripping, downgrading, DoS, NAC bypass, and VLAN hopping.

The TCP/IP Attacks labtainers the lab introduces students to TCP/IP protocol vulnerabilities, including SYN flooding, RST attacks, and session hijacking.

The ARP Spoof Attack labtainers lab introduces students to the use of ARP spoofing for Man-in-the-middle attacks.

The Local DNS Attacks labtainers lab introduces students to DNS spoofing and cache poisoning on a local area network.

The MACs and Hash Functions labtainers lab introduces students to cryptographic hashes and the potential for hash collisions.

Because wireless communication uses broadcast technology, essentially sending your data packets in every direction for anyone to grab, it makes it a great target for attackers. Learn how to use tools like Aircrack-ng and Wireshark to sniff and grab packets. Also, understand the different types of attacks available to you, such as evil twin, deauthentication, fragmentation, credential harvesting, exploiting WPS weaknesses, Bluejacking, Bluesnarfing, RFID cloning, jamming, and repeating.

As more and more users depend on wireless communications to connect to network resources, attackers have developed more sophisticated attacks on wireless networks. Some newer wireless attacks include those focused on data modification, data corruption, capturing handshakes, and on-path, or man-in-the-middle, attacks.

Applications are great targets to attack, especially if you're trying to disrupt communication with DoS or if you're looking to exfiltrate or destroy data. This video covers injection attacks, which are essentially inserting additional data beyond what the application is expecting to make it give you some information or perform some action for you. These include SQL, HTML, command, and code injection attacks.

As a pentester, you can get web apps to give you all kinds of information by leveraging mistakes developers make during the development phase. After configuring your DVWA to make sure it's extra vulnerable, you'll learn how to type commands into a seemingly benign data form box to make the web app respond back with extra database information and even run a script to make a dialogue box appear.

The SQL Injection labtainers lab introduces students to SQL injection attacks and countermeasures.

The beauty of applications is they already have access to databases; all you have to do is figure out how to exploit the vulnerabilities to get to that information. This video covers authentication attacks such as credential brute-forcing, session hijacking, redirecting, as well as exploiting default or weak credentials and Kerberos tickets. It also covers authorization attacks such as parameter pollution and insecure direct object reference.

In this final episode describing application exploits, you'll learn about another application injection attack called cross-site scripting (XSS), which attacks the server, and its similar cousin, cross-site request forgery (XSRF/CSRF) that attacks the user. You'll also discover how to launch passive attacks just by exploiting security misconfigurations, including directory traversal errors, cookie manipulation, and file inclusion.

Pen testing is often trying one thing, tweaking it, and trying again. Back in our lab environment, you'll see a cross-site scripting (XSS) attack carried out using Kali Linux and the Damn Vulnerable Web App (DVWA).

The Cross-Site Scripting labtainers lab introduces students to cross-site scripting (XSS) attacks on a vulnerable web server.

The Cross-Site Request Forgery labtainers lab introduces students to Cross-Site Request Forgery (CSRF) attacks with a vulnerable website.

Increased reliance on distributed applications means more API use and more vulnerabilities related to APIs. Pen testers should understand RESTful, XML-RPC, and SOAP API weaknesses and attacks and understand how to use resources such as word lists in attacking services.

In order to access systems and files in Linux, you need privileges. One way to do that is to leverage Linux's SUID (Set User ID) and SGUID (Set Group ID) capabilities. In this episode, you'll find out ways to escalate your privilege using various executables.

Windows OS also has the issue of privilege escalation. As a pentester, you can use this to your advantage by finding ways to access credentials stored in Cpassword, LDAP, LSASS, and SAM databases, among others. You can also take exploit Kerberos tickets by Kerberoasting or force malicious DLL modules to load with DLL hijacking.

There are a few other Windows OS vulnerabilities you can exploit to gain higher levels of privileges. In this video, you'll learn about unquoted services paths and writable services in Windows Services. You'll also learn the weaknesses of applications as well as another tricky way to access credentials: using a keylogger.

Continuing the conversation on possible vulnerabilities you can exploit as a pentester, you'll learn about how often default accounts are rarely changed or disabled, making them a perfect target to attack. Yet another way to gain access is to escape sandbox environments such as VMs and containers. Finally, you'll learn about physical device security, such as cold boot attacks, JTAG debuggers, and serial consoles.

Host-based vulnerabilities open the door to privilege escalation and lateral movement within compromised systems. Explore key post-exploitation tools like Rubeus for Kerberos attacks, Certify for Active Directory Certificate Services abuse, Seatbelt for reconnaissance, PsExec for remote execution, and Evil-WinRM for stealthy PowerShell access. Learn how each fits into host-based penetration testing engagements

Cloud computing is more popular and complex than ever, and attacks on cloud environments are more prevalent than in the past. Pen testers should be familiar with common cloud attacks, including credential harvesting, privilege escalation, account takeover, metadata service attacks, and misconfigured cloud assets.

In addition to an awareness of general cloud attacks, pen testers should be familiar with specific cloud environment attacks, including resource exhaustion, cloud malware injection, DoS, side-channel, and direct-to-origin attacks.

Mobile devices have unique characteristics and unique vulnerabilities that could lead to successful attacks. To help protect mobile devices, you'll learn about reverse engineering, sandbox analysis, spamming, other mobile-specific attacks, and tools that can help assess and secure mobile devices.

Virtualization is a foundation of today's IT environment, both as the basis of cloud computing as well as in common use within organizations and even on personal computers. In this section, you'll learn about virtualization vulnerabilities, including VM escape, hypervisor vulnerabilities, VM repository vulnerabilities, and vulnerabilities related to containerized workloads.

The Industrial Control System labtainers lab introduces students to using the GrassMarlin tool to view traffic you generate interacting with a PLC.

Although well-executed social engineering attacks can be some of the most devastating attacks to any organization, they aren't always the best choice. An important step in planning any social engineering attack is determining whether such an attack makes sense. In this section you'll learn about identifying the proper pretext that least to a successful social engineering attack.

Social engineering takes advantage of one of the greatest vulnerabilities of a client – the people who work there. As a pentester, one of the easiest ways to gain access is by tricking authorized users into giving up sensitive information. Learn about the basics of phishing, including spear phishing, SMS phishing, and whaling.

Now that you understand what social engineering attacks are learn how to use Kali Linux to launch a mass email spear phishing attack with a few simple commands.

In-person social engineering attacks are usually successful because people often want to be helpful and will rarely say "no" to someone face-to-face. These include elicitation, interrogation, impersonation, shoulder surfing, and USB key drops. It's also important to include multiple elements of what motivates people to give up sensitive information, such as authority, scarcity, social proof, urgency, likeness, and fear.

We've explored many of the technical ways to infiltrate a system through the network or directly at the host level. Physical security, on the other hand, involves gaining access to the actual physical location and the data within it by tailgating, fence jumping, dumpster diving, lock picking, or bypassing locks.

You've planned your engagement, you've chosen your targets and exploits, and you've successfully gained access. Now what? You'll want to make it easier to get back in but also figure out how to move laterally throughout the network. There are a number of OS features that can make lateral movement possible, including many remote access protocols. Learn about these features, and see two of them demonstrated: Telnet and SSH.

Pen tests don’t stop once access is gained—local host vulnerabilities often provide paths to escalate privileges or move deeper into a network. Learn how tools like Rubeus, Certify, Seatbelt, PsExec, and Evil-WinRM enable post-exploitation in Windows environments, from Kerberos abuse to remote PowerShell access, and why they are essential for modern red team engagements

A successful attack should not be the final step. In fact, a successful attack is often just the beginning of a string of subsequent attacks. In this section, you'll learn about the Empire, Mimikatz, and Bloodhound post-exploitation tools that help pen testers to keep an attack going to see how far they can get.

Since network segmentation is often required, testing for segmentation should be a part of every pen test. In this section, you'll learn about testing networks to validate segments by using ICMP, TCP, and UDP scans.

Once you gain access to a system, you're going to want to stick around without alerting anyone that you're there. This is what it means to be persistent as a pentester. You'll also want to be able to make it easy to move around within the system and to get back in. There are many ways to accomplish this, and in this video, you'll learn about running scheduled jobs or daemons, creating back doors for easy access using trojans, or even creating a user with higher privileges. In order to remain undetected, it's also vitally important to cover your tracks.

Although avoiding detection is desirable is isn't always easy. In this section you'll learn about a few techniques to continue an undetected attack for as long as possible. You'll learn about living off the land using PsExec, WMI, PowerShell remoting and WinRM, as well as data exfiltration, covering your tracks, steganography, and covert channels.

Attackers rely on stealth when moving or stealing data, often blending in with normal activity to avoid detection. Learn how techniques such as email exfiltration, cloud cross-account transfers, Alternate Data Streams, and virtual drive mounting are used in real-world attacks. Explore why common services like Dropbox, Pastebin, and OneDrive can become powerful tools for staging and exfiltration during penetration tests