Hacking Classes 75% notsosecure.com. Updated Regularly to Include Trending Techniques. Written by BlackHat Trainers: Available Globally

Transcription

1 75% 75% Hands-on Learning in Our Modern Hack Lab Updated Regularly to Include Trending Techniques Written by BlackHat Trainers: Available Globally Hacking Classes

2 Hacking Classes THE ART OF HACKING = + THE ART OF HACKING...PAGE 2 INFRASTRUCTURE HACKING...PAGE 4 WEB HACKING...PAGE 6 OTHER SPECIALIST CLASSES ADVANCED INFRASTRUCTURE HACKING...PAGE 8 ADVANCED WEB HACKING... PAGE 10 APPSEC FOR DEVELOPERS... PAGE 12 Becoming an information security expert THE ART OF HACKING ADVANCED WEB HACKING BLACK BELT Global Services Limited, 2018 All Rights Reserved NotSoSecure Global Services Limited (Company Registration , VAT Registration ) Trading As NotSoSecure Head Office: CB1 Business Centre, Twenty Station Road, Cambridge, CB1 2JD, UK Registered Office: Office 75 Springfield Road, Chelmsford, Essex, CM2 6JB, UK training@ Tel: BEGINNER INFRASTRUCTURE HACKING 3 DAYS WEB HACKING INTERMEDIATE 2 DAYS ADVANCED INFRASTRUCTURE HACKING EXPERT

3 2 3 The Art of Hacking System Administrators, Web Developers, SOC Analysts, Penetration Testers, Network Engineers, Security enthusiasts and anyone who wants to take their skills to the next level. 5 DAY CLASS FOUNDATION TRACK This class teaches the attendees a wealth of hacking techniques to compromise the security of various operating systems, networking devices and web application components. The class Master the Art of Hacking by building your hands-on skills in a sophisticated hack-lab with material that is delivered on the world conference stage; certified, accredited, continually updated and available globally starts from the very basic, and builds up to the level where attendees can not only use the tools and techniques to hack various components involved in infrastructure and web hacking, but also walk away with a solid understanding of the concepts on which these tools are based. The class comprises of 3 days of infrastructure hacking and 2 days of web hacking. The ideal introductory/intermediate training that brings together both infrastructure hacking and web hacking into a 5-day Art of Hacking class designed to teach the fundamentals of what pen testing is all about. This hands-on training was written to address the market need around the world for a real hands-on, practical and hack-lab experience that focuses on what is really needed when conducting THE ART OF HACKING CLASS CONTENT INFRASTRUCTURE HACKING a penetration test. Whilst a variety of tools are used, they are the key tools that should be in any DAY 3 penetration tester s kit bag. This, when combined with a sharp focus on methodology will give you what is necessary to start or formalise your testing career. Infrastructure basics TCP/IP basics The art of port scanning Target enumeration Brute-forcing Metasploit basics Password cracking Hacking Unix, databases and applications Hacking recent Unix vulnerabilities Hacking databases Hacking application servers Hacking third party applications (WordPress, Joomla, Drupal) Hacking Windows Windows enumeration Hacking recent Windows vulnerabilities. Hacking third party software (Browser, PDF, Java) Post exploitation: dumping secrets Hacking Windows domains Written & continually developed by leading Black Hat trainers Key tools that build a must have pen tester kit Updated regularly to include trending techniques DAY 4 WEB HACKING DAY 5 One of the best classes I ve taken in a long time. The content was on point and kept me engaged. I am new to Cyber Security after 25 years in App Development and I m very pleased with what I have learned Delegate, Black Hat USA Information gathering, profiling and cross-site scripting Understanding HTTP protocol Identifying the attack surface Username enumeration Information sisclosure Issues with SSL/TLS Cross-site scripting Cross-site request forgery Injection, Flaws, Files and Hacks SQL injection XXE attacks OS code injection Local/remote file include Cryptographic weakness Business logic flaws Insecure file uploads

4 4 5 Infrastructure Hacking System Administrators, Web Developers, SOC Analysts, Penetration Testers, Network Engineers, Security enthusiasts and anyone who wants to take their skills to the next level. 3 DAY CLASS FOUNDATION TRACK This class familiarises the attendees with a wealth of hacking tools and techniques. The class starts from the very basic and gradually builds up to the level where attendees not only use the Introduction into infrastructure testing Gain practical experience with tools that will last you well into the future tools and techniques to hack various components involved in infrastructure hacking, but also walk away with a solid understanding of the concepts on which these tools work. Learn core infrastructure techniques Leave with the basis to take your testing knowledge forward into more advanced infrastructure topics INFRASTRUCTURE HACKING CLASS CONTENT This is an entry-level infrastructure security and testing class and is a pre-requisite for our Advanced Infrastructure Hacking class. This class familiarises the attendees with the basics of network hacking. A number of tools and techniques will be taught during this 3-day class, If you would like to step into the world of ethical hacking / pen testing this is the right class for you. Infrastructure basics TCP/IP basics The art of port scanning Target enumeration Brute-forcing Metasploit basics Password cracking Hacking Unix, databases and applications Hacking recent Unix vulnerabilities Hacking databases Hacking application servers Hacking third party applications (WordPress, Joomla, Drupal) DAY 3 Hacking Windows Windows enumeration Hacking recent windows vulnerabilities. Hacking third party software (Browser, PDF, Java) Post exploitation: dumping secrets Hacking windows domains Infrastructure Hacking is the first part of the Art of Hacking Class. Very organized and clearly presented. Great having hands-on experience with individuals ready to assist needed Delegate, Black Hat USA

5 6 7 Web Hacking System Administrators, Web Developers, SOC Analysts, Penetration Testers, Network Engineers, Security enthusiasts and anyone who wants to take their skills to the next level. 2 DAY CLASS FOUNDATION TRACK Introduction into web application hacking Infrastructure Hacking is the second part of the Art of Hacking Class. Practical in focus, teaching how web application security flaws are discovered Covers leading industry standards and approaches Builds the foundation to progress your knowledge and move into more advanced web application topics This is an entry-level web application security testing class and is a pre-requisite for our Advanced Web Hacking class. This class familiarises the attendees with the basics of web and application hacking. A number of tools and techniques will be taught during the 2 day class. If you would like to step into the world of ethical hacking / pen testing with a focus on web applications, then this is the right class for you. WEB HACKING CLASS CONTENT Information gathering, profiling and cross-site scripting Understanding HTTP protocol Identifying the attack surface Username enumeration Information disclosure Issues with SSL/TLS Cross-site scripting Cross-site request forgery Injection, flaws, files and hacks SQL injection XXE attacks OS code injection Local/remote file include Cryptographic weakness Business logic flaws Insecure file uploads THE ART OF HACKING JOURNEY This class familiarises the attendees with a wealth of tools and techniques needed to breach the security of web applications. The class starts from the very basic, and gradually builds up to a level where attendees can not only use the tools and techniques to hack various components THE ART OF HACKING EXAM (CAPTURE THE FLAG) 1 DAY CERTIFICATION Ninja 60-80% involved in web application hacking, but also walk away with a solid understanding of the concepts on which these tools are based. The class also covers the industry standards such MASTER % as OWASP Top 10, PCI DSS and contains numerous real life examples to help the attendees understand the true impact of these vulnerabilities. INFRASTRUCTURE HACKING 3 DAYS WEB HACKING 2 DAYS EXAM PREPERATION OPTIONAL : PURCHASE EXTRA LAB TIME CREST REGISTERED TESTER EXAM CREST REGISTERED TESTER

6 8 9 Advanced Infrastructure Hacking The class is ideal for those preparing for CREST CCT (ICE), CHECK (CTL), TIGER SST and other similar industry certifications, as well as those who perform penetration testing on infrastructure as a day job and wish to add to their existing skill set. 5 DAY CLASS ADVANCED TRACK Latest exploits, highly relevant Teaching a wide variety of offensive hacking techniques Written by real pen testers with a world conference reputation (BlackHat, AppSec, OWASP, Defcon etc) Whether you are penetration testing, red teaming, or hoping to gain a better understanding of managing vulnerabilities in your environment, understanding advanced hacking techniques for infrastructure devices and systems is critical. This Advanced Infrastructure Hacking class will get the attendees familiarised with a wealth of hacking techniques for common operating systems and networking devices. While prior pen testing experience is not a strict requirement, a prior use of common hacking tools such as Metasploit is recommended for this class. This Advanced Infrastructure Hacking class is designed for those who wish to push their knowledge. The fast-paced class teaches the audience a wealth of hacking techniques to compromise various operating systems and networking devices. The class will cover advanced penetration techniques to achieve exploitation and will familiarise you with hacking of common operating systems, networking devices and much more. From hacking domain controllers to local root, VLAN hopping to VoIP hacking, we have got everything covered. IPv4 and IPv6 refresher Advanced topics in network scanning Understanding and exploiting IPv6 targets Windows exploitation Domain and user enumeration AppLocker / GPO restriction bypass Local privilege escalation DAY 3 AD exploitation Active directory delegation issues WOW64 Pivoting and WinRM ADVANCED INFRASTRUCTURE HACKING EXAM PREPERATION OPTIONAL : PURCHASE EXTRA LAB TIME CREST CCT EXAM CCT INF CREST CERTIFIED INFRASTRUCTURE TESTER This course was exactly as described. It delivered good, solid information on the current state of infrastructure hacking at the rapid pace promised. This was a great way to get back into this area after years away from it. Delegate, Black Hat USA OSINT, DVCS exploitation Advanced OSINT data gathering Exploiting git and continuous integration (CI) servers. Database servers MySQL Postgres Oracle Recent vulnerabilities Heart-Bleed and Shell-Shock PHP serialization exploit Web-sphere Java exploits Post exploitation #1 (AMSI bypass & Mimikatz) Post exploitation #2 (LSASecrets) DAY 4 Linux exploitation Port scanning and enumeration FS + SSH Privilege escalation Rservices Apache X11 services Persistence (Golden Ticket and DCSync) Lateral movement using WMIC DAY 5 Container breakout Docker breakout VPN exploitation VPN VoIP exploitation VoIP enumeration VoIP exploitation VLAN exploitation VLAN concepts VLAN hopping attacks.

7 10 11 BLACK BELT EDITION Advanced Web Hacking 5 DAY CLASS ADVANCED TRACK Following the success of NotSoSecure s Black Hat with Basic Infrastructure, Basic Web and Advanced Infrastructure Hacking, we have proudly brought out this very Advanced Web Hacking training written and delivered by NotSoSecure Group and world-famous Mario Heiderich. Available for private groups onsite, we have brought the very best of our combined expertise together to challenge our respective clients and to push the boundaries of knowledge further in our industry. This fast-paced class, gives attendees an insight into advanced AppSec topics. Broken down into 3 days of Server Side Flaws and 2 days of Client Side Flaws, the team has built a state of the art hacklab and recreated security vulnerabilities based on real life Pen Tests and real bug bounties seen in the wild. Written with and delivered by NotSoSecure Group in association with Mario Heiderich: Mario, a security researcher is from Berlin; leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled powerpoint-slides Advanced Web Hacking Black Belt Edition, is available for private groups. Delivered as on-site training around the world particularly in the UK, EU and USA for numbers up to 16 students. A list of on-site pre-requisites is available upon request. Server Side flaws (3 days) These vulnerabilities affected well-known software/websites and span across multiple technologies (e.g..net framework to Node.js applications). The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known. SQL Injection 2nd order injection NoSQL injection Out-of-Band exploitation WAF bypass techniques XXE Injection Blind XXE injection Case Study of recent XXE bugs XXE to Code Execution Serialization Flaws PHP object injection Java serialisation flaws Case study of recent serialisation flaws HTTP Parameter Pollution (HPP) Detecting HPP in application Case study of recent HPP bugs Business Logic Flaws Mass Assignment bugs OS code injection Crypto attacks Client Side Flaws - Exploiting Websites using offensive HTML, SVG, CSS, and other Browser- Evil (2 days) The focus of this aspect of the training is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheat Sheet. We will learn how to attack any webapplication with either unknown legacy features - or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES6 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps - we have that covered. A bit of knowledge on HTML and JavaScript is required here, but rookies and rocket scientists will be satisfied equally. HTML is a living standard. And so is this class. Course material will be provided on-site and via access to a private Github repo so all attendees will receive updated material even months after the actual training. Starting with; Client Side Flaws: The very Basics HTTP / Encoding Character Sets CSRF and detail Cross Site-Scripting DOM Clobbering Drag&Drop / Copy&Paste DOMXSS Legacy Features Note: Whoever works with or against the security of modern web applications will enjoy and benefit from this class. This is not a beginner class and attendees are expected to have a good prior understanding of the OWASP top 10 issues to gain maximum value from the class. Further to this, the class does not cover all AppSec topics and focuses only on advanced identification and exploitation techniques of the vulnerabilities shown on the right. Moving on to; HTML5 Attacks & Vectors SVG XML Mutation XSS / mxss Scriptless Attacks SOP Bypasses Filter Bypasses Optimizing your Payload

8 12 13 AppSec for Developers This class is Ideal for: Software/Web Developers, PL/ SQL Developers, Penetration Testers, Security Auditors, Administrators and DBAs and Security Managers. 2 DAY CLASS SPECIALIST TRACK Covers latest industry standards such as OWASP Top 10 Insight into latest security vulnerabilities (such as mass assignment bug in MVC frameworks) Thorough guidance on security best practices (like HTTP header such as CSP, HSTS header etc.) References to real world analogy for each vulnerability Hands-on labs A highly-practical class that targets Web Developers, Pen Testers, and anyone else who would like to learn about writing secure code, or to audit code against security flaws. The class covers a variety of best security practices and defense in-depth approaches, which developers should be aware of while developing applications. Students will be provided access to infrastructure on which they will identify vulnerable code and associated remediation. While the class covers industry standards such as OWASP Top 10 and SANS top 25 security issues, it also talks about real world issues that don t find a mention in these lists. The class does not focus on any particular web development language / technology but instead on the core principles. Examples include PHP,.NET, classic ASP and Java.10 and SANS top 25 security issues. Internet distribution of all course materials Pen Testing as an activity tends to capture security vulnerabilities at the end of the SDLC and is often too late to be able to influence fundamental changes in the way code is written. This class was written because of the need for developers to develop code and applications in a secure manner. It does not need to be more time consuming, but it is critical to introduce security as a quality component into the development cycle. The class does not target any particular web development platform, but does target the general insecure coding flaws developers make while developing applications. The examples used in the class include web development technologies such as ASP,.NET, JAVA and PHP. Module 1. Application security basics Module 2. Understanding the HTTP protocol Module 3. Issues with SSL/TLS Module 4. Information disclosure Module 5. Authentication flaws Module 6. Authorization bypass Module 7. Cross site scripting (XSS) Module 8. Cross site request forgery (CSRF) Module 9. SQL injection Module 10. XML external entity (XXE) attacks Module 11. Insecure file uploads Module 12. Client side security Module 13. Source code review

9 Founded by world renowned penetration tester Sumit Sid Siddarth and well-known cyber security entrepreneur Dan Haagman, NotSoSecure is a specialist firm focused on hacking training and penetration testing. A global Black Hat training provider in US and Europe. We Hack. We Teach. Visit for more information.