hacking classes - claranet usa · step into the world of ethical hacking / pen testing with a focus...

Hacking Classes

75%75% Hands-on Learning in

Our Modern Hack Lab Updated Regularly to Include

Trending TechniquesWritten by BlackHat

Trainers: Available Globally

notsosecure.com

notsosecure.com@NotSoSecure Global Services Limited, 2018 All Rights Reserved

NotSoSecure Global Services Limited (Company Registration 09600047, VAT Registration 215919989) | Trading As NotSoSecure

Head Office: CB1 Business Centre, Twenty Station Road, Cambridge, CB1 2JD, UK Registered Office: Office 75 Springfield Road, Chelmsford, Essex, CM2 6JB, UK

[email protected] Tel: +44 1223 653193

THE ART OF HACKING

THE ART OF HACKING .........................................................................................................................PAGE 2

INFRASTRUCTURE HACKING ..............................................................................................................PAGE 4

WEB HACKING ......................................................................................................................................PAGE 6

OTHER SPECIALIST CLASSES

ADVANCED INFRASTRUCTURE HACKING .........................................................................................PAGE 8

ADVANCED WEB HACKING ............................................................................................................... PAGE 10

APPSEC FOR DEVELOPERS .............................................................................................................. PAGE 12

= +

Hacking Classes

INFRASTRUCTURE HACKING3 DAYS

WEB HACKING2 DAYS ADVANCED

INFRASTRUCTURE HACKING5 DAYS

INTERMEDIATEBEGINNER EXPERT

5 DAYSTHE ART OF HACKING

ADVANCED WEB HACKINGBLACK BELT EDITION

5 DAYS

Becoming an information security expert

2 3

nots

osec

ure.

com

Master the Art of Hacking by building your hands-on skills in a sophisticated hack-lab with material that is delivered on the world conference stage; certified, accredited, continually updated and available globally

The ideal introductory/intermediate training that brings together both infrastructure hacking and web

hacking into a 5-day “Art of Hacking” class designed to teach the fundamentals of what pen testing is

all about. This hands-on training was written to address the market need around the world for a real

hands-on, practical and hack-lab experience that focuses on what is really needed when conducting

a penetration test. Whilst a variety of tools are used, they are the key tools that should be in any

penetration tester’s kit bag. This, when combined with a sharp focus on methodology will give you what

is necessary to start or formalise your testing career.

5 DAY CLASS FOUNDATION TRACK

The Art of Hacking

One of the best classes I’ve taken in a long time. The content was on point and kept me engaged. I am new to Cyber Security after 25 years in App Development and I’m very pleased with what I have learned

Delegate, Black Hat USA

Written & continually developed by leading

Black Hat trainers

Key tools that build a must have pen tester kit

Updated regularly to include trending techniques

This class teaches the attendees a wealth of hacking techniques to compromise the security

of various operating systems, networking devices and web application components. The class

starts from the very basic, and builds up to the level where attendees can not only use the tools

and techniques to hack various components involved in infrastructure and web hacking, but

also walk away with a solid understanding of the concepts on which these tools are based. The

class comprises of 3 days of infrastructure hacking and 2 days of web hacking.

THE ART OF HACKING CLASS CONTENT

DAY 1Infrastructure basics• TCP/IP basics• The art of port scanning• Target enumeration• Brute-forcing• Metasploit basics• Password cracking

DAY 2Hacking Unix, databases and applications• Hacking recent Unix

vulnerabilities• Hacking databases• Hacking application servers• Hacking third party

applications (WordPress, Joomla, Drupal)

DAY 3Hacking Windows• Windows enumeration• Hacking recent Windows

vulnerabilities.• Hacking third party software

(Browser, PDF, Java)• Post exploitation: dumping

secrets• Hacking Windows domains

DAY 4Information gathering, profiling and cross-site scripting• Understanding HTTP protocol• Identifying the attack surface• Username enumeration• Information sisclosure• Issues with SSL/TLS• Cross-site scripting• Cross-site request forgery

DAY 5Injection, Flaws, Files and Hacks• SQL injection• XXE attacks• OS code injection• Local/remote file include• Cryptographic weakness• Business logic flaws• Insecure file uploads

INFRASTRUCTURE HACKING

WEB HACKING

WHO SHOULD TAKE THIS CLASS?System Administrators, Web Developers, SOC Analysts, Penetration Testers, Network Engineers, Security enthusiasts and anyone who wants to take their skills to the next level.

4 5

nots

osec

ure.

com

Introduction into infrastructure testing

Gain practical experience with tools that will last you well into the future

Learn core infrastructure techniques

Leave with the basis to take your testing knowledge forward into more advanced infrastructure topics

This is an entry-level infrastructure security and testing class and is a pre-requisite for our Advanced

Infrastructure Hacking class. This class familiarises the attendees with the basics of network hacking. A

number of tools and techniques will be taught during this 3-day class, If you would like to step into the

world of ethical hacking / pen testing this is the right class for you.


InfrastructureHacking

This class familiarises the attendees with a wealth of hacking tools and techniques. The class

starts from the very basic and gradually builds up to the level where attendees not only use the

tools and techniques to hack various components involved in infrastructure hacking, but also

walk away with a solid understanding of the concepts on which these tools work.

INFRASTRUCTURE HACKING CLASS CONTENT

DAY 1Infrastructure basics• TCP/IP basics• The art of port scanning• Target enumeration• Brute-forcing• Metasploit basics• Password cracking

DAY 2Hacking Unix, databases and applications• Hacking recent Unix

vulnerabilities• Hacking databases• Hacking application servers• Hacking third party

applications (WordPress, Joomla, Drupal)

DAY 3Hacking Windows• Windows enumeration• Hacking recent windows

vulnerabilities.• Hacking third party software

(Browser, PDF, Java)• Post exploitation: dumping

secrets• Hacking windows domains


Very organized and clearly presented. Great having hands-on experience with individuals ready to assist needed


Infrastructure Hacking is the first part of the Art of Hacking Class.

6 7

nots

osec

ure.

com

Introduction into web application hacking

Practical in focus, teaching how web application security flaws are discovered

Covers leading industry standards and approaches

Builds the foundation to progress your knowledge and move into more advanced web application topics

This is an entry-level web application security testing class and is a pre-requisite for our Advanced

Web Hacking class. This class familiarises the attendees with the basics of web and application

hacking. A number of tools and techniques will be taught during the 2 day class. If you would like to

step into the world of ethical hacking / pen testing with a focus on web applications, then this is the

right class for you.


WebHacking

This class familiarises the attendees with a wealth of tools and techniques needed to breach

the security of web applications. The class starts from the very basic, and gradually builds up to

a level where attendees can not only use the tools and techniques to hack various components

involved in web application hacking, but also walk away with a solid understanding of the

concepts on which these tools are based. The class also covers the industry standards such

as OWASP Top 10, PCI DSS and contains numerous real life examples to help the attendees

understand the true impact of these vulnerabilities.

DAY 1

Information gathering, profiling and cross-site scripting• Understanding HTTP protocol• Identifying the attack surface• Username enumeration• Information disclosure• Issues with SSL/TLS• Cross-site scripting• Cross-site request forgery

DAY 2

Injection, flaws, files and hacks• SQL injection• XXE attacks• OS code injection• Local/remote file include• Cryptographic weakness• Business logic flaws• Insecure file uploads

WEB HACKING CLASS CONTENT


Web Hacking is the second part of the Art of Hacking Class.

8 9

nots

osec

ure.

com

5 DAY CLASS ADVANCED TRACK

Advanced Infrastructure Hacking

Whether you are penetration testing, red teaming, or hoping to gain a better understanding of

managing vulnerabilities in your environment, understanding advanced hacking techniques for

infrastructure devices and systems is critical.

This Advanced Infrastructure Hacking class will get the attendees familiarised with a wealth of

hacking techniques for common operating systems and networking devices. While prior pen

testing experience is not a strict requirement, a prior use of common hacking tools such as

Metasploit is recommended for this class.

This course was exactly as described. It delivered good, solid information on the current state of infrastructure hacking at the rapid pace promised. This was a great way to get back into this area after years away from it.


CREST CCT EXAM

EXAM PREPERATION

OPTIONAL : PURCHASE EXTRA LAB TIME

ADVANCED INFRASTRUCTURE HACKING

5 DAYS

CCT INF CREST CERTIFIED

INFRASTRUCTURE TESTER

DAY 1IPv4 and IPv6 refresherAdvanced topics in network scanningUnderstanding and exploiting IPv6 targetsOSINT, DVCS exploitationAdvanced OSINT data gatheringExploiting git and continuous integration (CI) servers.Database serversMySQLPostgresOracleRecent vulnerabilitiesHeart-Bleed and Shell-ShockPHP serialization exploitWeb-sphere Java exploits

DAY 2Windows exploitationDomain and user enumerationAppLocker / GPO restriction bypassLocal privilege escalationPost exploitation #1 (AMSI bypass & Mimikatz)Post exploitation #2 (LSASecrets)

DAY 3AD exploitationActive directory delegation issuesWOW64Pivoting and WinRMPersistence (Golden Ticket and DCSync)Lateral movement using WMIC

DAY 4Linux exploitationPort scanning and enumerationFS + SSHPrivilege escalationRservicesApacheX11 services

DAY 5Container breakoutDocker breakoutVPN exploitationVPNVoIP exploitationVoIP enumerationVoIP exploitationVLAN exploitationVLAN conceptsVLAN hopping attacks.

WHO SHOULD TAKE THIS CLASS?The class is ideal for those preparing for CREST CCT (ICE), CHECK (CTL), TIGER SST and other similar industry certifications, as well as those who perform penetration testing on infrastructure as a day job and wish to add to their existing skill set.

Latest exploits, highly relevant

Teaching a wide variety of offensive hacking techniques

Written by real pen testers with a world conference reputation (BlackHat, AppSec, OWASP, Defcon etc)

This Advanced Infrastructure Hacking class is designed for those who wish to push their knowledge. The

fast-paced class teaches the audience a wealth of hacking techniques to compromise various operating

systems and networking devices. The class will cover advanced penetration techniques to achieve

exploitation and will familiarise you with hacking of common operating systems, networking devices and

much more. From hacking domain controllers to local root, VLAN hopping to VoIP hacking, we have got

everything covered.

10 11

nots

osec

ure.

com

3 DAY CLASS ADVANCED TRACK

Whoever works with or against the security of modern web applications will enjoy and benefit from this class. This is not a beginner class and attendees are expected to have a good prior understanding of the OWASP top 10 issues to gain maximum value from the class. Further to this, the class does not cover all AppSec topics and focuses only on advanced identification and exploitation techniques of the vulnerabilities shown on the right.

Advanced Web Hacking – Black Belt Edition, is available for private groups. Delivered as on-site training around the world particularly in the UK, EU and USA for numbers up to 16 students. A list of on-site pre-requisites is available upon request.

AUTHENTICATION BYPASS Token Hijacking attacks SQL column truncation attack Logical Bypass / Boundary Conditions

SAML / OAUTH 2.0 / AUTH-0 / JWT ATTACKSJWT Token Brute-Force attacksSAML Authentication and Authorization BypassXXE through SAMLAdvanced XXE Exploitation over OOB channelsPASSWORD RESET ATTACKSCookie SwapHost Header Validation BypassCase study of popular password reset fails.

BREAKING CRYPTOKnown Plaintext Attack (Faulty Password Reset)Path Traversal using Padding OracleHash length extension attacks

BUSINESS LOGIC FLAWS / AUTHORIZATION FLAWSMass AssignmentInvite/Promo Code BypassReplay Attack

SQL INJECTION2nd order injectionOut-of-Band exploitationSQLi through cryptoNoSQL Injection

OS code exec via powershell.Advanced topics in SQli

REMOTE CODE EXECUTION (RCE)Java Serialisation AttackNode.js RCEPHP object injectionRCE through XXE (with blind XXE)RCE through XSLTRails’ Remote Code ExecutionRuby/ERB template injectionExploiting code injection over OOB channel

SERVER SIDE REQUEST FORGERY (SSRF)SSRF to query internal networkSSRF to code exec

UNRESTRICTED FILE UPLOADMalicious File ExtensionsCircumventing File validation checksWeb shells for modern platforms

MISCELLANEOUS TOPICSHTTP Parameter Pollution (HPP)XXE in file parsingA Collection of weird and wonderful XSS and CSRF attacks.

ATTACK CHAININGCombining Client-side and Server-side attacks to steal internal secretsB33r 101

NotSoSecure is pleased to launch their much awaited advanced Web Hacking class. Much like the Advanced Infrastructure Hacking class, this class talks about a wealth of hacking techniques to compromise web applications, APIs and associated end-points. This class focus on specific areas of app-sec and on advanced vulnerability identification and exploitation techniques (especially server side flaws). The class allows attendees to practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known. Attendees can also benefit from a state-of-art Hacklab and we will be providing 30 days lab access after the class to allow attendees more practice time.

This fast-paced class, gives attendees an insight into Advanced Web Hacking, the team has built a state of the art hacklab and recreated security vulnerabilities based on real life Pen Tests and real bug bounties seen in the wild.

The AWH course has been excellent with 100% positive feedback.

We’ve appreciated ourselves how much work must have gone into the labs, they are very strong and reflect the real world, so we’ve been thrilled.

The trainers are great, very knowledgable and engaging.

Anonymous – April 2018

Advanced Web Hacking

12 13

nots

osec

ure.

com

2 DAY CLASS SPECIALIST TRACK

AppSec for Developers

Covers latest industry standards such as OWASP Top 10

Insight into latest security vulnerabilities (such as mass assignment bug in MVC frameworks)

Thorough guidance on security best practices (like HTTP header such as CSP, HSTS header etc.)

References to real world analogy for each vulnerability

Hands-on labs

Internet distribution of all course materials

Pen Testing as an activity tends to capture security vulnerabilities at the end of the SDLC and is often

too late to be able to influence fundamental changes in the way code is written.

This class was written because of the need for developers to develop code and applications in a

secure manner. It does not need to be more time consuming, but it is critical to introduce security

as a quality component into the development cycle. The class does not target any particular web

development platform, but does target the general insecure coding flaws developers make while

developing applications. The examples used in the class include web development technologies such

as ASP, .NET, JAVA and PHP.

WHO SHOULD TAKE THIS CLASS?This class is Ideal for: Software/Web Developers, PL/SQL Developers, Penetration Testers, Security Auditors, Administrators and DBAs and Security Managers.

A highly-practical class that targets Web Developers, Pen Testers, and anyone else who would

like to learn about writing secure code, or to audit code against security flaws. The class covers

a variety of best security practices and defense in-depth approaches, which developers should

be aware of while developing applications.

Students will be provided access to infrastructure on which they will identify vulnerable code

and associated remediation. While the class covers industry standards such as OWASP Top

10 and SANS top 25 security issues, it also talks about real world issues that don’t find a

mention in these lists. The class does not focus on any particular web development language

/ technology but instead on the core principles. Examples include PHP, .NET, classic ASP and

Java.10 and SANS top 25 security issues.

DAY 1Module 1. Application Security Basics

Module 2. Understanding HTTP protocol

Module 3. Security Misconfigurations

Module 4. Insufficient Logging and Monitoring

Module 5. Authentication Flaws

Module 6. Authorization Bypass

Module 7. Cross Site Scripting (XSS)

DAY 2Module 8. Cross Site Request Forgery (CSRF)

Module 9. SQL Injection

Module 10. XML External Entity (XXE) Attacks

Module 11. Insecure File Uploads

Module 12. Deserialization Vulnerabilities

Module 13. Client Side Security

Module 14. Source Code Review

Founded by world renowned penetration tester Sumit “Sid” Siddarth and well-known cyber security entrepreneur Dan Haagman, NotSoSecure is a specialist firm focused on hacking training and penetration testing. A global Black Hat training provider in US and Europe. We Hack. We Teach. Visit notsosecure.com for more information.

hacking classes - claranet usa · step into the world of ethical hacking / pen testing with a focus...

Documents