Choose the Hacker path that suits you best

Cyber Security

• What is a cyber attack?
• Incident Response process
• CIA Triad
• Types of Hackers
• Cyber Theft Ring
• How much is our data worth on the Dark Web?
• Main players
• Main attacks
• Techniques used
• Preferred vectors

Kill Chain

• Phases
  
  • Targeting
  • Reconnaissance
  • Weaponisation
  • Delivery
  • Exploitation
  • Installation
  • Command & Control
  • An Example of an Attack: Action
  • The Attack on Target

Protocol TCP/IP

• • Packets
    • Model ISO/OSI
    • Model TCP/IP
    • Levels
    • Encapsulation
  • Headers
    • Tcp
    • IP
    • Ethernet
  • IP protocol 
    • Addresses
    • Address classes
    • Netmask
    • IPv6
  • IP routing
    • Routing tables
    • Autonomous system
    • Routing protocols
      
      • IGP protocol
      • EGP protocol
    • Distance Vector
    • RIP
    • Link State
    • Path vector
  • Data Link layer
    
    • MAC address
    • Mac Table
    • Switch
    • ARP protocol
  • TCP and UDP
    • Ports
    • Headers
    • Netstat command
    • Three way handshake
  • DNS
    • Structure
    • Resolution
  • DHCP protocol
    
    • Phases
    • Dhcp discover
    • Dhcp offer
    • Dhcp request
    • Dhcp hack
    • Renewal
  • Other protocol
    • SNMP
    • ICMP
    • FTP
    • SMTP
    • IMAP
    • POP3

  WEB Applications

  • HTTP protocoll
  • HTTP request
  • HTTP response
  • HTTPs
  • Cookies
  • HTTP Sessions

  Systems for Protecting the Network

  • Proxies
  • Firewalls
  • Honeypots
  • VPN
  • IDS/IPS
  • DLP systems

• Introduction
  • Historical overview
  • Philosophy
  • Distributions
  • The Kernel
  • The shell
  • Commands
  • Processes
• File System
  • The File System
  • Files and Directories
  • The structure of the File System
  • Permissions and protections
  • Commands for files and directories
• Redirection
  • Stdin, Stdout e Stderr
  • Input redirection
  • Output redirection
  • Error redirection
• Filter and pipelines                              
  • Pipes
  • Main filters: grep, sort, uniq, nl, tr, head, tail, wc, sed, awk
• Process management                              
  • Environment variables
  • Jobs
  • Process states
  • Signals
• Shell programming                                   
  • Quoting
  • Metacharacters and globbing
  • Substitutions
  • Command composition
  • Creating a programme

Web Application Vulnerabilities

• Who OWASP is
• How a web application is structured
• The OWASP Top Ten
  • Injection
  • Broken authentication
  • Sensitive data exposure
  • XML External Entities
  • Broken access control
  • Security misconfiguration
  • Cross-Site Scripting
  • Insecure deserialization
  • Using components with known vulnerabilities
  • Insufficient logging and monitoring

Attacks

• What a zero-day is
  • DoS, DDoS, and DRDoS
    • Smurf
    • Xmas scan attack
  • Man-in-the-Middle
  • Man-in-the-Browser
  • Buffer overflow
  • Privilege escalation
  • ARP poisoning
  • DNS poisoning
  • Domain hijacking
  • Clickjacking
  • Session hijacking
  • Spoofing
    • MAC
    • Email
    • Phone
  • Downgrade attack
  • Wi-Fi attacks
    • Wi-Fi protocols
    • Replay attack
    • Rogue AP
    • Evil Twin
    • WPS attacks
  • Bluetooth attacks
    • Bluejacking
    • Bluesnarfing
    • Bluebugging
  • Cryptographic attacks
  • Hash functions
  • Pass-the-hash
  • Password attacks
    • Rainbow tables
    • Salting
    • Dictionary attacks
    • Hybrid attacks
    • Online attacks
    • Brute force
    • Birthday attack

Social Engineering

• What social engineering is
• Scenarios
• Phishing
• Spear phishing
• Lateral phishing
• BEC scams
• Smishing
• Vishing
• Tailgating
• Impersonation
• Dumpster diving
• Shoulder surfing
• Watering hole
• Basic principles of social engineering
• An example of an attack
• The Social Engineering Attack Framework

Malware

• The PE format
• DLLs
• Kernel mode vs user mode
• Protection rings
• APIs
• Transition from user mode to kernel mode
• How infections occur
• Signatures
• Obfuscation & mutation
• Polymorphic malware
• Metamorphic malware
• Mutation engines
• Persistence
  • System registry
  • DLL hijacking
  • DLL load order hijacking
  • Trojanized system binaries
• Types of malware
  • Viruses
  • Backdoors
  • Adware
  • Spyware
  • Keyloggers
  • Trojans
  • RAT
  • Cryptojacking
• Rootkits
  • User mode
  • Kernel mode
  • IAT hooking
  • Bootkits
• Hybrid malware
  • Conficker
• Ransomware
  • Phases of a ransomware attack
  • WannaCry
  • How to respond
• Macro viruses
• Scareware
• Fileless malware
• Exploit kits
  • Angler
  • Zeus Builder
• Crime as a Service
  • Grand Crab

Introduction to the Penetration Testing Process

• Motivations and engagement
• Phases
• Presenting the results

Information Gathering

• Introduction
• Intelligence gathering
• Open source intelligence gathering (OSINT)
• Active vs Passive reconnaissance
• The three depth levels
• Online information services
• System Identification: basics
  • Netcraft
  • whois
  • ping
  • traceroute
  • nslookup vs host vs dig
• System Identification and DNS: zone transfer
• System Identification and Email
• System Identification and network services
  • Port scanning
  • nc
  • Banner grabbing
  • Introduction to nmap
    
    

Footprinting & Scanning

• Introduction
• The phases of footprinting
• Defining the scope
• Footprinting tools
• Google Hacking: using Google to our advantage
  • Google queries
  • Advanced operators
  • Google dorks
• DNS hacking: squeezing a DNS
• More banner grabbing
• Mapping remote networks
• Automated port scanning
  • nmap
• Automated system identification
  • nmap
  • dmitry
    
    

Vulnerability Assessment

• Introduction
• The VA process
• Defining the perimeter
• Internal vs Internet-facing
• Evidence identified by the VA process
• Limitations of VA
  • The concept of vulnerability
  • The concept of exploitability
• Building a continuous process
• Standards and reference databases
  • FIRST CVSS
  • MITRE
  • NIST
• Manual vs automated tools
• Automated tools
  • nmap
  • Nikto
  • OpenVAS
  • Nessus

Web Application Attacks

• Introduction
  • Web server fingerprinting
  • Black-box testing
  • Httprint
  • Manual server exploitation
• HTTP protocol
  • GET method
  • POST method
  • HEAD method
  • PUT method
  • DELETE method
  • OPTIONS method
• Enumeration
  • HTTP verbs enumeration
  • File and directory enumeration
  • File enumeration using search engines
  • OWASP DirBuster
• Cross-Site Scripting
  • Countermeasures
  • Types
  • Reflected (non-persistent)
  • Persistent
• SQL Injection (SQLi)
  • The injection point
  • Anatomy of a SQL Injection attack
  • SQLmap

System Attacks

• Malware
  • Adware
  • Spyware
  • Backdoors
  • Firewalls and backdoors
  • Rootkits
  • Trojan horses
  • Viruses
  • Keyloggers
  • Botnets
  • Ransomware
• Password attacks
  • Authentication mechanisms
  • Encryption algorithms and hash functions
  • Password storage files
    • Microsoft
    • Linux
    • Salting function
  • Password cracking
  • Dictionary attacks
  • Rainbow tables
  • Brute-force attacks
  • Hybrid solutions
  • Custom dictionaries
  • Password attacks with Hashcat
  • John the Ripper attack
• Buffer Overflow (BOF)
• The stack
• Smashing the stack
• Stack overflow
  • Push and pop methods

Network Attacks

• Authentication cracking
  • Vulnerability
  • Hydra tool
• Windows shares
  • Universal Naming Convention (UNC) paths
  • Administrative and hidden shares
• Null session
  • Vulnerability
  • Enum tool
• ARP poisoning
  • ARP protocol
  • ARP table
  • Man-in-the-middle (MITM)
• Metasploit
  • Framework
  • Console
  • Commands
  • Payloads
• Meterpreter
  • Connection
    • Bind
    • Reverse
  • Sessions
  • Meterpreter information gathering
    • Sysinfo
    • Route
    • Getuid

Administration and Services

• Package management: Advanced Package Tool and dpkg
• Service management: systemctl

Shell Kung-fu

• Process management
• Job management
• Repeated actions
• Data analysis
• Commands and aliases
• Bash hacks
• History hacks
• Some math, but not too much
• SSH hacks
• Zsh

Networking Essentials

• Networking in Linux
• nc
• socat
• Bind shell in a Linux environment
• Reverse shell in a Linux environment
• Networking in Windows with PowerShell
• Bind shell in a Windows environment
• Reverse shell in a Windows environment
• powercat

Introduction

• Motivations
• Attack patterns
• The attack surface
• Defense analysis

How to perform reconnaissance

• The Kill Chain
• What to look for
• Reconnaissance tools over time
• Types of reconnaissance

Passive reconnaissance

• What and where to look
• Open sources
• Google and exploit-db
• Web mirroring
• Maltego
• Shodan
• pf0
• Man-in-the-middle positioning for gathering: Wireshark

Active reconnaissance

• Port scanning with nmap
• Port scanning with hping3
• Port scanning with netcat
• Port scanning with masscan
• Post-exploitation recon: ARP scan
• DNS enumeration
• SNMP scanning: onesixtyone
• Web application reconnaissance: Wappalyzer

Beyond Scanning

• Security audits and frameworks
• PCI-DSS
• SCAP
• MSCT
• Performing audits using Nessus Professional
• Risk assessment
• NIST Risk Assessment Guide

Beyond Nessus

• A new point of view: LHF
• Searching for alternatives
• Dictionary generation

Vulnerability Assessment and Web Applications

• Quick tools
• Burp Suite

General Concepts and First Steps

• Introduction
• More on SMB enumeration

Enumeration in Unix Environments

• The NFS protocol
• NFS enumeration

Enumeration in Windows Environments

• RPC enumeration and Microsoft domains
• Obtaining information from Active Directory
• From enumeration to attack: password spraying
• Considerations on the availability of attacks derived from analysis

SNMP Enumeration

• Introduction
• Protocol versions and security
• Possible enumeration methods
• Lab: Compromising SNMPv3 security and obtaining unauthorized access

Introduction

• Attack and exploitation scenarios
• Attack vectors
• Other compromise methods
• Public exploits: risks and benefits
• Searching for an exploit
• Online and offline resources

Memory Attacks

• Introduction
• Architectures
• Memory and virtual addresses
• Memory for a program
• The stack
• Function return mechanism
• CPU internals
• Assembly fundamentals
• Tools
• Lab: Analysis of a BOF (Buffer Overflow)
• From analysis to exploitation
• Lab: Windows memory exploitation

Maintaining Access and Other Exploitation Techniques

• Macro viruses
• Lab: building a macro virus

In Search of Privilege

• An approach to searching for privilege escalation
• Privilege escalation for Windows
  • Some ideas
  • Privileges, network, services, programs, DLLs
  • Concrete use cases
• Privilege escalation for Linux
  • Some ideas
  • Privileges, network, services, programs, DLLs
  • Concrete use cases

Automated Discovery

• For Linux/macOS: linPEAS
• For Windows: winPEAS

Post-Exploitation and Exfiltration

• The exfiltration problem
• Data encoding techniques
  • Base64 encoding
  • URI obfuscation
  • URL hostname obfuscation
  • Code obfuscation
  • Unicode and UTF
  • Homoglyphs

Exfiltration Protocols

• Exfiltration over TCP
• Exfiltration via FTP/SSH/SCP/SFTP
• Data exfiltration via HTTP POST
• Exfiltration via ICMP
• Exfiltration via DNS
• DNS weaponization

Traffic Constraints

• Firewall evasion
  • Port forwarding
  • SSH tunneling
  • Pivoting
  • Proxychains

Bypassing Protection Systems

• Types of protection
• Antivirus (antivirus evasion)
• On-disk evasion
  • Packers
  • Obfuscators
  • Crypters
• In-memory evasion
  • PE injection
• Network evasion
  • A weak use case: Base64
  • A strong use case: AES
• Application whitelisting/blacklisting
  • AppLocker

Attacking CVE-2021-44228 – Log4Shell

• What Log4Shell is
• Log4J and lookups
• The role of malicious DNS: a new exfiltration opportunity
• How Log4Shell works
• The role of malicious LDAP servers
• Basic tools: LDAP URLs, custom LDAP servers
• Payload examples
• Bypassing WAFs
• A complete PoC

Attacking CVE-2022-42889 – Apache Commons Text RCE

• String substitutions
• The risks of unsafe input
• Risk levels
• What does not work in Commons Text
• Use cases and examples

APK-Based Attack

• The Android environment
• The APK system
• Weaponization
  • Distribution technique: drive-by download
  • Payload selection and construction
  • Building the APK package
  • Trojanized APK: embedding into another APK
• The attack
  • Available tools
  • Navigating within the device
  • Extracting information and files

Other Exploitation Methods

The Android clipboard

Introduction to Physical Communication

• Physical communication
• Electromagnetic signals
• Electromagnetic spectrum

Attack Devices and Flipper Zero

• Attack devices
• Flipper Zero
  • Architecture
  • User interface
• Systems that can be compromised with Flipper Zero
  • Infrared
  • Wi-Fi
  • Bluetooth
  • Sub-GHz (gates, cars, garages, ...)
  • NFC and RFID
  • Bad USB