mile2® Store

Certified Penetration Testing Consultant Penetration


Course Overview

4 Days $3,500 32 CPE Credits

The Certified Penetration Testing Consultant course is our advanced course in our penetration testing track. The C)PTC is designed for cyber security professionals and IT network administrators who are interested in conducting Penetration tests against large network infrastructures, such as large corporate networks.

The training starts with capturing and analyzing basic packets and continues with Layer2 attack vectors; Layer3 based attacks, including both IPv4 and IPv6 stacks, routing protocol attacks (OSPF, BGP, etc); Service Provider level attacks related with very common used MPLS; how to use relays and pivots; VPN attacks including IPSEC protocol suite; SSL attacks; and finally covers NIDS/NIPS evasion and implementation techniques.

At the completion of each module, students are going to be able to practice their knowledge with the lab exercises that are specifically prepared for the covered materials during the theory.


Upon Completion

Students will:

    • Have the ability to plan, manage, and execute a penetration test.
    • Have knowledge to properly report on a penetration test results.
    • Be ready to sit for the C)PTC Exam


Course Content

With 8 Modules and 8 appendices, the C)PTC will bring your penetration testing skillset to the next level and prepare you to consult organizations on security issues.

Click on a module to view its content. We keep the content of the C)PTC labs protected. There is one lab per module covered.

Modules Labs

1: Packet Capturing

Packet Capturing
Packet capturing using libpcap
Capturing using ncap
Packet Capturing Software
Windump / TCPDump
Windump & PS
General Settings
Capture Settings
Interface Options
Column Settings
Name Resolution Settings
Capture Options
Menu Shortcuts
Follow TCP Stream
Expert Infos
Packet Reassembly
Capturing VOIP Calls
VOIP Call Filtering
Call Setup
Playing the call
Saving the call into a file
SMB Export
HTTP Export

2: Layer2 Attacks

Why Layer2?
FBI/CSI Risk Assessment
Ethernet Frame Formats
Different Types of attacks
Switch Learning Process
Excessive Flooding
Cisco Switches’ Bridging Table Capacities
Mac Flooding Alternative: Mac Spoofing Attacks
Spanning Tree Basics
Frame Formats
Main BPDU Formats
STP Attacks supported in yersinia
Becoming Root Bridge
Basic Trunk Port Defined
Dynamic Trunking Protocol (Cisco)
VLAN Hopping Attack
Double Tagging
How DHCP operates?
DHCP Request/Reply Types
DHCP Fields
DHCP Starvation Attack
Rogue DHCP Server Attack
ARP Function Review
Risk Analysis of ARP
ARP Spoofing Attack Tools
ARP Cache Poisoning
How PoE works?
Risk Analysis for PoE

3: Layer3 Attacks on Cisco Based Infrastructures

Layer 3 protocols
Protocols: BGP
BGP MD5 crack
Protocols: BGP
BGP Route Injection
MP-BGP Route Injection
Protocols: OSPF
Protocols: ISIS
Protocols: HSRP/VRRP
DDoS detection
DDoS prevention
Ingress/egress filtering
Worm detection and protection
DDoS/worm research/future
Bi-directional MPLS-VPN traffic redirection
Some More MPLS Attacks
Router integrity checking

4: Pivoting and Relays

Backdoors with nc
Netcat – Basic Usage
Persistent Listeners
Shovel a shell
Shovel a file
netcat port scanner
Simple Netcat Relay
Two-Way Netcat Relay – The Newbie Approach
Named Pipes
I/O Streams and Redirection
Relay Scenario 1
Two-Way NC Relay with Named Pipe
Relay Scenario 2
Relay Scenario 3

5: IPv6 Attacks

IPv4 & IPv6 Headers
IPv6 Header Format
End-to-End Principle
Differences with End-to-End
End point filters
Merging IPSEC and Firewall functions
ICMPv6 Neighbor Discovery
IPv6 Attack Tools
DAD DoS Attack
DAD DoS Attack
Auto-Configuration Mechanisms
Autoconfiguration – SLAAC, DHCPv6
Auto-Configuration IPv4 & IPv6
ICMPv6 Types
Neighbor Discovery
ND spoofing
Dos-new-ipv6 (THC)
Parasite6 (THC)
Redir6 (THC)
IPv6 in Today’s Network
Extension Headers
Routing Header
Different Types of Routing Header
RH0 (Deprecated by RFC 5095) Format
Routing Header 0 Attack
Layer 3-4 Spoofing
Transition Mechanism Threats
IPv6 Firewalls
Making existing tools work

6: VPN Attacks

VPN Comparison
Detecting IPSec VPNs
AH versus ESP
Tunnel mode versus Transport mode
Main mode versus aggressive mode
IKE Main Mode
IKE Aggressive Mode
IPv4 Header
Authentication Header
AH Transport Mode
AH Tunnel Mode
Authentication Algorithms
AH and NAT
ESP with Authentication
ESP in Transport Mode
ESP in Tunnel Mode
Aggressive Mode
Main Mode
Aggressive Mode ID
Aggressive Mode PSK Attacks
Aggressive PSK Cracking
Aggressive Mode ID Enumeration
Main Mode PSK Attacks
Main Mode PSK Cracking
Main Mode Policy Enumeration
Other VPN Flaws
Insecure Storage of Credentials on VPN Clients
Username Enumeration

7: Defeating SSL

How SSL Works
Certificate Types
Certificate Chaining
Chain of trust
Verifying a Certificate Chain
Certificate Chain That Cannot be Verified
What if…
Basic Constraints
Then the story started
Setting up IPTABLES
Running Arpspoof
How SSL connection is initiated:
How does it look like?
Combining this technique with homograph attack
Certificate Enrollment Request PKCS#10
Certificate (Subjects)
CN Encoding
PKCS #10 Certificate Signing Request
Universal Wildcard
More Weird Stuff
What do we have to worry about?
Certificate Revocation
Defeating OCSP
Update-Aware SSLSNIFF
What is Snort?
Snort Architecture
Packet Sniffing
Detection Engine
Alerting Components
Three major modes
Using Snort as Packet Sniffer
Packet Sniffing
Snort as Packet Logger
Snort as NIDS
Snort Rule Tree
Decoding Ethernet Packet
Preprocessor Layout
Parts of a Rule Outputs

8: IDS/IPS Evasion

Networking Standards
Evasion Principles
Evasion Layers
Layer 2
Layer 3-4
Fragmentation Attacks – Ping O' Death
More Malicious Fragments
Fragmentation-Based Techniques
Sending Overlapping Fragments
Different Reassembly Timeout
Sending Fragment with Different TTLs
Insertion Attacks
Protocol Violation
Layer 5-7
Layer 5-7
SMB Evasions
SMB based vulnerabilities
How can IDS control SMB sessions?
DCERPC Evasions
How DCERPC works:
DCERPC Bind Evasions
DCERPC Call Evasions
DCERPC Transport Evasions
Client Side Attack Evasions
UTF-8 Overlong Strings
Javascript Evasions
Base64 your HTML
DoS Attacks
Failure Points
Alert Management
Hardware Limitations
Session Tracking
Pattern Matching
Signature Matching

1: Working with Captured Files

Currently not disclosed

2: Layer 2 Attacks

Currently not disclosed

3: Attacking Routing Protocols

Currently not disclosed

4: Using Pivot Machines

Currently not disclosed

5: IPv6 Attacks

Currently not disclosed

6: VPN attack

Currently not disclosed

7: Defeating SSL, Decrypting Traffic and man-in-the-middle attacks

Currently not disclosed


Currently not disclosed


Class Format Options

Mile2 offers courses around the year and around the globe. You can attend this course in 2 ways:

    1. Instructor-led Classroom: Attend in person.
    2. Live-virtual Training: Attend the Instructor-led class remotely.


Who Should Attend

The Certified Penetration Testing Consultant course is the most advnaced training in mile2’s line of penetration testing courses and certifications. The course prepares students to consult organizations of any size on security by performing penetration test. We assume that people taking this course understand penetration testing and are looking to enhance their skills to the next level. We strongly encourage passing the C)PTE: Certified Penetration Testing Engineer Exam before taking this course or having the equivalent industry experience.


Exam Information

The Certified Penetration Testing Consultant exam is a 6 hour practical in which you will be conducting both a Vulnerability Assessment and a Full Penetration Test on two IP's. You will then be given 60 days to turn in a written Penetration Test report that will be analyzed by our team of experts. You are required to find at least 80% of the vulnerabilities and then manually test to see if they are legitimate. The report will need to be professionally written, grammatically correct and accurate. This exam is a Pass or Fail.
The C)PTC exam is taken online through Mile2’s Assessment and Certification System (“MACS”), which is accessible on your account. The cost is $600 USD and must be purchased from the store on

Purchase the exam

GTR Classes - C)IHE 12/07–12/11 REGISTER HERE
Toggle Bar