mile2® Store

Certified Penetration Testing Engineer Penetration

Course Overview

5 Days $3,000 40 CPE Credits

The Certified Penetration Testing Engineer course trains students on the 5 key elements of penetration testing: information gathering, scanning, enumeration, exploitation and reporting. Ethical hacking is the art of using these penetration testing techniques to identify and repair the latest vulnerabilities in a system to make sure it is secure. Malicious hackers use these same techniques to find the same vulnerabilities except they exploit the vulnerabilities giving them access to the businesses’ network. Once inside, hackers can access private information, such as usernames, passwords, credit card numbers, and social security numbers of clients and employees. It’s very likely this data will be held for ransom or sold off on a black market. Hackers are constantly looking for new companies they can exploit; when they come across yours, will they be able to gain access? Certified Penetration Testing Engineers are the solution to prevent this from happening to businesses they serve.

With our proprietary penetration testing lab exercizes, students will spend about 20 hours getting real-world penetration testing experience. They'll know what they are learning and they'll know how to use it after course. Our instructors will also provide real life examples of when to use the techniques that are being taught. There is no better way to learn the art of penetration testing.

This course also enhances the business skills needed to identify protection opportunities, justify testing activities and optimize security controls appropriate to the business needs in order to reduce business risk.

The C)PTE’s foundation is built firmly upon proven, hands-on, penetration testing methodologies utilized by our international group of vulnerability consultants. Mile2 trainers keep abreast of their field by practicing what they teach; we believe that an equal emphasis on theoretical and real world experience is essential for effective knowledge transfer to you, the student.

Upon Completion

Students will:

    • Have knowledge to perform penetration test
    • Have knowledge to accurately report on their findings from examinations
    • Be ready to sit for the C)PTE Exam


Course Content

With 15 up-to-date Modules and 16 Labs, the C)PTE will not only teach you the know-how of penetration testing, but you'll have real-world experience to solidify what you have learned.

Click on a module or lab to view its agenda. Module and appendix numbers correspond with their accompanying lab numbers.

Modules & Appendix Labs

0: Course Introduction

Courseware Materials
Course Overview
Course Objectives
C)PTE Exam Information
Learning Aids
Class Prerequisites
Student Facilities

1: Logistics of Penetration Testing

What is a Penetration Test?
Benefits of a Penetration Test
Data Breach Insurance
CSI Computer Crime Survey
Recent Attacks & Security Breaches
What does a Hack cost you?
Internet Crime Complaint Center
The Evolving Threat
Security Vulnerability Life Cycle
Exploit Timeline
Zombie Definition
What is a Botnet?
How is a Botnet Formed?
Botnet Statistics
How are Botnet’s Growing?
Types of Penetration Testing
Hacking Methodology
Methodology for Penetration Testing
Penetration Testing Methodologies
Hacker vs. Penetration Tester
Not Just Tools
Website Review
Tool: SecurityNOW! SX
Seven Management Errors

2: Linux Fundamentals

Linux History: Linus + Minix = Linux
The GNU Operating System
Linux Introduction
Linux GUI Desktops
Linux Shell
Linux Bash Shell
Recommended Linux Book
Password & Shadow File Formats
User Account Management
Instructor Demonstration
Changing a user account password
Configuring Network Interfaces with Linux
Mounting Drives with Linux
Tarballs and Zips
Compiling Programs in Linux
Why Use Live Linux Boot CDs
Typical Linux Operating Systems
Most Popular: Kali Linux

3: Information Gathering

What Information is gathered by the Hacker?
Organizing Collected Information
Leo meta-text editor
Free Mind: Mind mapping
IHMC CmapTools
Methods of Obtaining Information
Physical Access
Social Access
Social Engineering Techniques
Social Networks
Instant Messengers and Chats
Digital Access
Passive vs. Active Reconnaissance
Footprinting defined
Maltego GUI
Footprinting tools
Google Hacking
Google and Query Operators
Job Postings
Blogs & Forums
Google Groups / USENET
Internet Archive: The WayBack Machine
Domain Name Registration
WHOIS Output
DNS Databases
Using Nslookup
Dig for Unix / Linux
Traceroute Operation
Traceroute (cont.)
3D Traceroute
Opus online traceroute
People Search Engines
Intelius info and Background Check Tool
EDGAR For USA Company Info
Company House For British Company Info
Client Email Reputation
Web Server Info Tool: Netcraft
Footprinting Countermeasures

4: Detecting Live System

Introduction to Port Scanning
Port Scan Tips
Expected Results
Popular Port Scanning Tools
Stealth Online Ping
NMAP: Is the Host online
ICMP Disabled?
NMAP TCP Connect Scan
TCP Connect Port Scan
Tool Practice : TCP half-open & Ping Scan
Half-open Scan
Firewalled Ports
NMAP Service Version Detection
Additional NMAP Scans
Saving NMAP results
UDP Port Scan
Advanced Technique
Tool: Superscan
Tool: Look@LAN
Tool: Hping2
Tool: Hping2
More Hping2
Tool: Auto Scan
OS Fingerprinting: Xprobe2
Xprobe2 Options
Xprobe2 –v –T21-500 192.168.XXX.XXX
Tool: P0f
Tool Practice: Amap
Tool: Fragrouter: Fragmenting Probe Packets
Countermeasures: Scanning

5: Enumeration

Enumeration Overview
Web Server Banners
Practice: Banner Grabbing with Telnet
SuperScan 4 Tool: Banner Grabbing
SMTP Server Banner
DNS Enumeration
Zone Transfers from Windows 2000 DNS
Kali Linux DNS Enumeration
Countermeasure: DNS Zone Transfers
SNMP Insecurity
SNMP Enumeration Tools
SNMP Enumeration Countermeasures
Active Directory Enumeration
AD Enumeration countermeasures
Null sessions
Syntax for a Null Session
Viewing Shares
Tool: DumpSec
Tool: Enumeration with Cain and Abel
NAT Dictionary Attack Tool
Injecting Abel Service
Null Session Countermeasures

6: Vulnerability Assessments

Vulnerabilities in Network Services
Vulnerabilities in Networks
Vulnerability Assessment Def
Vulnerability Assessment Intro
Testing Overview
Staying Abreast: Security Alerts
Vulnerability Research Sites
Vulnerability Scanners
Nessus Report
SAINT – Sample Report
Tool: Retina
Qualys Guard
Tool: LANguard
Microsoft Baseline Analyzer
MBSA Scan Report
Dealing with Assessment Results
Patch Management
Other Patch Management Options

7: Malware Goes Undercover

Distributing Malware
Malware Capabilities
Countermeasure: Monitoring Autostart Methods
Tool: Netcat
Netcat Switches
Netcat as a Listener
Executable Wrappers
Benign EXE’s Historically Wrapped with Trojans
Tool: Restorator
Tool: Exe Icon
The Infectious CD-Rom Technique
Trojan: Backdoor.Zombam.B
Trojan: JPEG GDI+
All in One Remote Exploit
Advanced Trojans: Avoiding Detection
Malware Countermeasures
Gargoyle Investigator
Spy Sweeper Enterprise
CM Tool: Port Monitoring Software
CM Tools: File Protection Software
CM Tool: Windows File Protection
CM Tool: Windows Software
Restriction Policies
CM Tool: Hardware Malware Detectors
Countermeasure: User Education

8: Windows Hacking

Password Guessing
Password Cracking LM/NTLM Hashes
LM Hash Encryption
NT Hash Generation
Syskey Encryption
Cracking Techniques
Precomputation Detail
Creating Rainbow Tables
Free Rainbow Tables
NTPASSWD:Hash Insertion Attack
Password Sniffing
Windows Authentication Protocols
Hacking Tool: Kerbsniff & KerbCrack
Countermeasure: Monitoring Logs
Hard Disk Security
Breaking HD Encryption
Tokens & Smart Cards
USB Tokens
Covering Tracks Overview
Disabling Auditing
Clearing and Event log
Hiding Files with NTFS Alternate Data Stream
NTFS Streams countermeasures
What is Steganography?
Steganography Tools
Shedding Files Left Behind
Leaving No Local Trace
Tor: Anonymous Internet Access
How Tor Works
TOR + OpenVPN= Janus VM
Encrypted Tunnel Notes:
Hacking Tool: RootKit
Windows RootKit Countermeasures

9: Hacking UNIX/Linux

File System Structure
Starting and Stopping Processes
Interacting with Processes
Command Assistance
Interacting with Processes
Accounts and Groups
Password & Shadow File Formats
Accounts and Groups
Linux and UNIX Permissions
Set UID Programs
Trust Relationships
Logs and Auditing
Common Network Services
Remote Access Attacks
Brute-Force Attacks
Brute-Force Countermeasures
X Window System
X Insecurities Countermeasures
Network File System (NFS)
NFS Countermeasures
Passwords and Encryption
Password Cracking Tools
Symbolic Link
Symlink Countermeasure
Core File Manipulation
Shared Libraries
Kernel Flaws
File and Directory Permissions
SUID Files Countermeasure
File and Directory Permissions
World-Writable Files Countermeasure
Clearing the Log Files
Rootkit Countermeasures

10: Advanced Exploitation Techniques

How Do Exploits Work?
Format String
Race Conditions
Memory Organization
Buffer OverFlows
Buffer Overflow Definition
Overflow Illustration
How Buffers and Stacks Are
Supposed to Work
Stack Function
How a Buffer Overflow Works
Buffer Overflows
Heap Overflows
Heap Spraying
Security Code Reviews
Stages of Exploit Development
Shellcode Development
The Metasploit Project
The Metasploit Framework
SaintExploit at a Glance
SaintExploit Interface
Core Impact Overview

11: Pen Testing Wireless Networks

Standards Comparison
SSID (Service Set Identity)
MAC Filtering
Wired Equivalent Privacy
Weak IV Packets
WEP Weaknesses
XOR – Encryption Basics
How WPA improves on WEP
The WPA MIC Vulnerability
802.11i - WPA2
WPA and WPA2 Mode Types
WPA-PSK Encryption
LEAP Weaknesses
Tool: Kismet
Tool: Aircrack-ng Suite
Tool: Airodump-ng
Tool: Aireplay
DOS: Deauth/disassociate attack
Tool: Aircrack-ng
Attacking WEP
Attacking WPA
Exploiting Cisco LEAP
Typical Wired/Wireless Network
802.1X: EAP Types
EAP Advantages/Disadvantages
EAP/TLS Deployment
New Age Protection
Aruba – Wireless Intrusion Detection and Prevention
RAPIDS Rogue AP Detection

12: Networks, Sniffing, IDS

Example Packet Sniffers
Tool: Pcap & WinPcap
Tool: Wireshark
TCP Stream Re-assembling
Tool: Packetyzer
tcpdump & windump
Tool: OmniPeek
Sniffer Detection Using Cain & Abel
Active Sniffing Methods
Switch Table Flooding
ARP Cache Poisoning
ARP Normal Operation
ARP Cache Poisoning Tool
Tool: Cain and Abel
Linux Tool Set: Dsniff Suite
Dsniff Operation
MailSnarf, MsgSnarf, FileSnarf
What is DNS spoofing?
Tools: DNS Spoofing
Session Hijacking
Breaking SSL Traffic
Tool: Breaking SSL Traffic
Tool: Cain and Abel
Voice over IP (VoIP)
Intercepting VoIP
Intercepting RDP
Cracking RDP Encryption
Routing Protocols Analysis
Countermeasures for Sniffing
Countermeasures for Sniffing
Evading The Firewall and IDS
Evasive Techniques
Firewall – Normal Operation
Evasive Technique -Example
Evading With Encrypted Tunnels
Newer Firewall Capabilities
‘New Age’ Protection
Networking Device – Bastion Host
Spyware Prevention System (SPS)
Intrusion ‘SecureHost’ Overview
Intrusion Prevention Overview

13: Injecting the Database

Vulnerabilities & Common Attacks
SQL Injection
Impacts of SQL Injection
Why SQL “Injectionâ€Â?
SQL Injection: Enumeration
SQL Extended Stored Procedures
Direct Attacks
SQL Connection Properties
Attacking Database Servers
Obtaining Sensitive Information
Hacking Tool: SQLScan
Hacking Tool: osql.exe
Hacking Tool: Query Analyzers
Hacking Tool: SQLExec
Hacking Tool: Metasploit
Finding & Fixing SQL Injection
Hardening Databases

14: Attacking Web Technologies

Web Server Market Share
Common Web Application Threats
Progression of a Professional Hacker
Anatomy of a Web Application Attack
Web Applications Components
Web Application Penetration Methodologies
URL Mappings to Web Applications
Query String
Changing URL Login Parameters
Cross-Site Scripting (XSS)
Injection Flaws
Unvalidated Input
Unvalidated Input Illustrated
Impacts of Unvalidated Input
Finding & Fixing Un-validated Input
Attacks Against IIS
IIS Directory Traversal
IIS Logs
Other Unicode Exploitations
N-Stalker Scanner 2009
HTTrack Website Copier
Wikto Web Assessment Tool
SiteDigger v3.0
Paros Proxy
Burp Proxy
Dictionary Maker
Acunetix Web Scanner
Samurai Web Testing Framework

15: Project Documentation

Additional Items
The Report
Report Criteria:
Supporting Documentation
Analyzing Risk
Report Results Matrix
Findings Matrix
Delivering the Report
Stating Fact
Executive Summary
Technical Report
Report Table Of Contents
Summary Of Security Weaknesses Identified
Scope of Testing
Summary Recommendations
Summary Observations
Detailed Findings
Strategic and Tactical Directives
Statement of Responsibility / Appendices

A1: Understanding Penetration Testing

The Growth of Environments and Security
Our motivation…
The Goal: Protecting Information!
CIA Triad in Detail
Approach Security Holistically
Security Definitions
Definitions Relationships
Method: Ping
The TCP/IP stack
Recommended Video: It’s Showtime
Which services use which ports?
TCP 3-Way Handshake
TCP Flags
Types of Malware
Types of Malware Cont...
Types of Viruses
More Malware: Spyware
Trojan Horses
Back Doors
DDoS Issues
Packet Sniffers
Passive Sniffing
Active Sniffing
Firewalls, IDS and IPS
Firewall – First line of defense
IDS – Second line of defense
IPS – Last line of defense?
Firewall Types: (1) Packet Filtering
Firewall Types: (2) Proxy Firewalls
Firewall Types – Circuit-Level Proxy Firewall
Type of Circuit-Level Proxy – SOCKS
Firewall Types – Application-Layer Proxy
Firewall Types: (3) Stateful
Firewall Types: (4) Dynamic Packet-Filtering
Firewall Types: (5) Kernel Proxies
Firewall Placement
Firewall Architecture Types – Screened Host
Multi- or Dual-Homed
Screened Subnet
Wi-Fi Network Types
Widely Deployed Standards
Standards Comparison
802.11n - MIMO
Overview of Database Server
Types of databases
Overview of Database Server

A2: Financial Sector Regulations

IT Governance Best Practice
IT Risk Management
Types of Risks
Information Security Risk Evaluation
Improving Security Posture
Risk Evaluation Activities
Risk Assessment
Information Gathering
Data Classification
Threats and Vulnerabilities
Analytical Methods
Evaluate Controls
Evaluate Controls
Risk Ratings
Important Risk Assessment Practices
Many Regulations
Basel II
Gramm-Leach-Bliley-Act 1999 Title V
Federal Financial Examination Institution Council - FFIEC
Sarbanes-Oxley Act (SOX 404) 2002
IT Applications and Security
Internal Control: SOX
SOX: Business or IT Issue?
IT Issue for SOX
ISO 27002
ISO 27002: Control Components
Background on PCI
Dirty Dozen
Change Control and Auditing
Total Cost of Compliance
What does this mean to the tech?

A3: Access Controls

Role of Access Control
Categories of Access Controls
Physical Controls
Logical Controls
“Softâ€Â Controls
Security Roles
Steps to Granting Access
Access Criteria
Physical Access Control Mechanisms
Biometric System Types
Synchronous Token
Asynchronous Token Device
Memory Cards
Smart Card
Cryptographic Keys
Logical Access Controls
OS Access Controls

A4: Protocols

Protocols Overview
OSI – Application Layer
OSI – Presentation Layer
OSI – Session Layer
Transport Layer
OSI – Network Layer
OSI – Data Link
OSI – Physical Layer
Protocols at Each OSI Model Layer
TCP/IP Suite
Port and Protocol Relationship
Conceptual Use of Ports
UDP versus TCP
Protocols – ARP
Protocols – ICMP
Network Service – DNS
SSH Security Protocol
Protocols – SNMP
Protocols – SMTP

A5: Cryptography

Cryptographic Definitions
Encryption Algorithm
Symmetric Encryption
Symmetric Downfalls
Symmetric Algorithms
Crack Times
Asymmetric Encryption
Public Key Cryptography Advantages
Asymmetric Algorithm Disadvantages
Asymmetric Algorithm Examples
Key Exchange
Symmetric versus Asymmetric
Using the Algorithm Types Together
Instructor Demonstration
Common Hash Algorithms
Birthday Attack
Example of a Birthday Attack
Generic Hash Demo
Instructor Demonstration
Security Issues in Hashing
Hash Collisions
MD5 Collision Creates Rogue Certificate Authority
Hybrid Encryption
Digital Signatures
SSL Connection Setup
SSL Hybrid Encryption
IPSec - Network Layer Protection
Public Key Infrastructure
Quantum Cryptography
Attack Vectors
Network Attacks
More Attacks (Cryptanalysis)

A6: Economics and Law

Security Incentives & Motivations
What motivates us to promote security?
Security Incentives & Motivations
What motivates others to attack security?
What is Your Weakest Link?
What Is the Value of an Asset?
Examples of Some Vulnerabilities that Are
Not Always Obvious
Categorizing Risks
Some Examples of Types of Losses
Different Approaches to Analyzing Risks
Who Uses What Analysis Type?
Qualitative Analysis Steps
Quantitative Analysis
Can a Purely Quantitative Analysis Be Accomplished?
Comparing Cost and Benefit
Cost of a Countermeasure
Cyber Crime!
Not Just Fun and Games
Examples of Computer Crimes
Who Perpetrates These Crimes?
A Few Attack Types
Telephone Fraud
Identification Protection & Prosecution
Privacy of Sensitive Data
Privacy Issues – U.S. Laws as Examples
European Union Principles on Privacy
Routing Data Through Different Countries
Employee Privacy Issues
Common Laws – Civil
Common Laws – Criminal
Common Laws – Administrative
U.S. Federal Laws
Intellectual Property Laws
More Intellectual Property Laws
Software Licensing
Digital Millennium Copyright Act
Computer Crime and Its Barriers
Countries Working Together
Security Principles for International Use
Bringing in Law Enforcement
Investigation of Any Crime
Role of Evidence in a Trial
Evidence Requirements
Chain of Custody
How Is Evidence Processed?
Evidence Types
Hearsay Rule Exception
Responding to an Incident
Preparing for a Crime Before It Happens
Incident Handling
Evidence Collection Topics
Computer Forensics
Trying to Trap the Bad Guys

1: Getting Set Up

Naming and subnet assignments
Discovering your class share
VM Image Preparation
Discovering the Student Materials
PDF Penetration Testing Methodology’s review

2: Linux Fundamentals

Mounting a USB Thumb Drive
Mount a Windows partition
VNC Server
Preinstalled tools in Kali Linux

3: Information Gathering

Google Queries
Footprinting Tools
Getting everything you need with Maltego
Using Firefox for Pen Testing
Documentation of the assigned tasks

4: Detecting Live Systems

Zenmap in Kali Linux
NMAP Command Line
Documentation of the assigned tasks

5: Reconnaissance

Banner Grabbing
Zone Transfers
SNMP Enumeration
LDAP Enumeration
Null Sessions
SMB Enumeration
SMTP Enumeration
Documentation of the assigned tasks

6: Vulnerability Assessment

Run Nessus for Windows
Run Saint
Documentation of the assigned tasks

7: Malware

Netcat (Basics of Backdoor Tools)
Exploiting and Pivoting our Attack
Creating a Trojan
Documentation of the assigned tasks

8: Windows Hacking

Cracking a Windows Password with Linux
Cracking a Windows Password with Cain
Covering your tracks via Audit Logs
Alternate Data Streams
Understanding Rootkits
Windows 7 Client Side Exploit (Browser)
Windows 2008 SMBv2 Exploit
Documentation of the assigned tasks

9: Hacking UNIX/Linux

Setup and Recon – Do you remember how?
Making use of a poorly configured service
Cracking a Linux password
Creating a backdoor and covering our tracks
Documentation of the assigned tasks

10: Advanced Exploitation Techniques

Metasploit Command Line
Metasploit Web Interface

11: Attacking Wireless Networks

War Driving Lab
WEP Cracking Lab (classroom only)

12: Networks, Sniffing and IDS

Capture FTP Traffic
ARP Cache Poisoning Basics
ARP Cache Poisoning - RDP

13: Database Hacking

Hacme Bank – Login Bypass
Hacme Bank – Verbose Table Modification
Hacme Books – Denial of Service
Hacme Books – Data Tampering
Documentation of the assigned tasks

14: Hacking Web Applications

Input Manipulation
Shoveling a Shell
Hacme Bank – Horizontal Privilege Escalation
Hacme Bank – Vertical Privilege Escalation
Hacme Bank – Cross Site Scripting
Documentation of the assigned tasks

A5: Cryptography

Caesar Encryption
RC4 Encryption
IPSec Deployment




Class Format Options

Mile2 offers courses around the year and around the globe. You can attend a course in 3 ways:

    1. Instructor-led Classroom: Attend in person.
    2. Live-virtual Training: Attend the Instructor-led class remotely.
    3. Computer-based Training: Access the course through pre-recorded videos 24/7 at your convenience.


Who Should Attend

The C)PTE is a course on penetration testing designed for those who already have a basic understanding of cyber security. We recommend an understanding of how computers are networked and how they interact with the internet (TCP/IP). Some of the tools we will use are only developed for Linux; therefor having experience with Linux is a plus. We recommend having the previously mentioned experience or you can prepare to take the course by completing the C)ISSO: Certified Information Systems Officer course as a prerequisite. People who are in or are going into the following professional roles will especially benefit from our course:

Penetration Testing Consultant Security Analyst/Consultant Security Architect
Chief Information Security Officer Security Auditor IT Management

After you complete the C)PTE course and get certified, we recommend you to further develop your penetration testing skillset by being certified as a C)PTC: Certified Penetration Testing Consultant by taking the course and passing the 6 hour exam that will have you perform a penetration test that will really test what you know and can do!


Exam Information

The Certified Penetration Testing Engineer exam is taken online through Mile2’s Assessment and Certification System (“MACSâ€Â), which is accessible on your account. The exam will take 2 hours and consist of 100 multiple choice questions. The cost is $400 USD and must be purchased from the store on

Purchase the exam

GTR Classes - C)PTE 11/30–12/4 REGISTER HERE C)IHE 12/07–12/11 REGISTER HERE
Toggle Bar