This course has been designed to fill a hole in the market that no other course will give you with hands on step by step tutorials that this visual learning experience provides. This course allows you to follow, in real time, each stage of the engagement that you can tweak and train your skills from over and over again!
You will get the latest tools and techniques using Rapid 7's Superb tool, 'Metasploit', to exploit targets as well as run post exploitation techniques and utilize PowerShell with 'Empire'
The course will visually engage with 'Empire', a post exploitation tool, used to harness the power of Powershell to further exploit Microsoft Windows Operating systems where poor configurations and overlooked policy have been deployed.
The course will start with an understanding of how to move around Metasploit, basic key strokes to get from one section of the framework to another, and together, we will exploit our first system, work out what we can and cant do, how to keep it if something goes wrong, and how to leave the session without being tracked. We will learn how to not be seen by Intrusion Detection Systems and Evade Anti-Virus Software used by professional Penetration Testers around the globe. The course will then look at Empire, again we will start with the basics of moving around, how to gain our sessions known as 'agents', escalate our privileges if required and migrate over to the Metasploit framework. This gives us the beast of both worlds!
You will learn how to be professional in your methodology and help you to gain a foothold in the field.
I will teach you by visual learning and not simply speaking over presentations. Theory is good but this course will get you up and running with little to no knowledge at all. This is the course I really wish i had learning Penetration Testing as it answers the questions that are not a simple Google away.
In this video, we go over the key navigation points within Metasploit and touch on Handlers, Payloads, Jobs and sessions.
Learn how to gather information on your targets, this is arguably the most important phase of all. This is also known as "reconnaissance" and without it you wont be able to focus your energy in the right area. Spend a lot of time gathering as much information about your targets as this will help you to understand how to conquer them.
Description - Link https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi
"This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development."
In this lecture we gain a Command Shell (which is a DOS Prompt to you and I), and upgrade that DOS prompt to a meterpreter Shell. This will give us the ability to utilize more advanced exploitation techniques than simply having a shell and is usually the first point of getting any Command Shell. The Meterpreter session sits in memory so doesn't get triggered by Anti Virus Software of which is vital to being undetected whilst running through engagements.
During any Penetration Test, you will come across techniques that might, by design, perform a Denial Of Service which will leave the machine you are attacking, frozen, Blue Screened if in Windows, or simply reboot. It is important to know what these are so you don't accidentally try them. Your scope with your client will probably not allow you to perform DOS attacks intentionally, so make sure you're confident of what you're doing before your do it. This example in Windows (MS12020) has an availability checker that you can report to your clients the susceptibility of the DOS.
This time we look at the 'Web script Delivery' module. This module is a great module to learn as it gives you a quick and easy route to gather a new session to the box if you already have access to it. Say you manage to find the credentials and RDP onto a box, you can generate a script in PowerShell, run it and receive a session back on that box.
This also comes in PHP and Pearl flavors if these are relevant to your scenario.
This demonstration shows the bare bones of how to create a session, but in reality it would be rather unlikely for the victim to copy the code into a command box as shown in the video.
Part of being on the attacker side is to think of ways to execute code like this. You could for example, embed the code into a Macro of a Windows Excel or Word Document to automatically run when the file is opened.
Using an AutoRunScript can be a great technique to automate tasks and also allow you to speed up manual tasks & remove human error. This is great for migrating process's to evade antivirus when touching disk.
During your pentest, you will you will need to move around into different machines and gather credentials in order to do so. Here we look at how to gather hashes and crack them to re use these on other systems.
We look at using the popular tools like JTR (John The Ripper) & OPHCrack
Here we look at harnessing the power of Mimikatz.
Mimikatz is a post exploitation tool to gather passwords from compromised machines. Mimikatz isn't documented very well from within the Metasploit Module, so it's useful to see it in action fully.
Pass the Hash or PTH - Is a post exploitation method designed to allow you to give the NTLM Hash discovered from a previous exploit or from a 'hashdump' directly into the password field. This is an incredibly useful method when you don't have the time nor the resources to crack the hashes and need to gain further access and compromise your next machine.
In this lecture we look at Pivoting.
Pivoting is used to access internal networks by utilizing the initial exploited machine.
This Lecture looks at the 'ask' module. This module is uses as a Privilege Escalation Tactic that displays a message to the user 'asking' the user if it's 'ok' to run a program. If the user agrees, and has local admin privileges, then a new session is spawned with NT AUTHORITY\SYSTEM.
This lecture is all about Persistence.
Persistence is the method of resuming a session after the compromised machine has crashed, been restarted on simply that the session has died for some other reason.
After we have completed our engagement we now need to remove all traces that we connected. In this video we look at clear the windows Event log in Event Viewer. We wouldn't want anyone to know what we've been doing now would we ....
In this video we look at how to install, update and configure Empire ready for use.
In this video we look at the key commands needed to move around the Empire application to familiarize ourselves with the application.
In this video we will look at the differences between different types of encoded payloads. Starting from a standard powershell payload to a base64 encoded payload and how these are executed by looking at the pros and cons of how they are deployed.
This time we look at the creating a Windows component script-let file that we execute by using the "unregister" function! This is a nifty way to create shells.
As always we also bypass Anti-Virus and Endpoint Security Systems as the payload inside the script-let doesn't touch disk-space..
This time we look at how we interact with our Empire Agents that are now established on our system.
This video looks out attempting privilege escalation using the 'BypassUAC' method through Empire.
Like with all things in PenTesting, you don't always get the results you want!
This video is about trying different methods to achieve our goal.
Now we go to migrate between Empire and Metasploit in order to use different modules when we have issues with one application.
If at first you don't succeed.....
I have substantial experience in Networking & Systems Management covering Windows, *nix & MAC.
I have worked from the ground up working as Systems Administrator / Network Administrator, ISP, Provisioning Broadband services & MPLS Networks in large corporate environments. I have been involved in running penetration test engagements within the Financial Sector Services for some of the largest global banking Institutes. I currently hold the Qualys Vulnerability Assessor Certification, & will explore CREST and others when I have time in the future.