CPTS
Number | Module | My notes | Duration | ||
---|---|---|---|---|---|
01 | Penetration Testing Process | Penetration Testing Process | 6 hours | Introduction | |
02 | Network Enumeration with Nmap | (Almost) all about nmap | 7 hours | Reconnaissance, Enumeration & Attack Planning | |
03 | Footprinting | Introduction to footprinting Infrastructure and web enumeration Some services: FTP, SMB, NFS, DNS, SMTP, IMAP/POP3,SNMP, MySQL, Oracle TNS, IPMI, SSH, RSYNC, R Services, RDP, WinRM, WMI |
2 days | Reconnaissance, Enumeration & Attack Planning | |
04 | Information Gathering - Web Edition | Information Gathering - Web Edition. With tools such as Gobuster, ffuf, Burpsuite, Wfuzz, feroxbuster, OWASP WSTG-INFO-02, OWASP WSTG-INFO-02, Google Dorks More tools for recon: finalrecon | 7 hours | Reconnaissance, Enumeration & Attack Planning | |
05 | Vulnerability Assessment | Vulnerability Assessment: Nessus, Openvas |
2 hours | Reconnaissance, Enumeration & Attack Planning | |
06 | File Transfer techniques | File Transfer Techniques: Linux, Windows, Code- netcat python php and others, Bypassing file upload restrictions, File encryption, Evading techniques when transferring files, LOLbas Living off the land binaries |
3 hours | Reconnaissance, Enumeration & Attack Planning | |
07 | Shells & Payloads | Bind shells, Reverse shells, Spawn a shell, Web shells (Laudanum and nishang), Windows footprinting, | 2 days | Reconnaissance, Enumeration & Attack Planning | |
08 | Using the Metasploit Framework | Metasploit, Msfvenom | 5 hours | Reconnaissance, Enumeration & Attack Planning | |
09 | Password Attacks | Password attacks | 8 hours | Exploitation & Lateral Movement | |
10 | Attacking Common Services | Common services: FTP SMB (tools: smbclient, smbmap, rpcclient, Samba Suite, crackmapexec, impacket-smbexec, impacket-psexec), Databases (MySQL and Attacking MySQL, MSSQL and Atacking MSSQL, log4j, RDP, DNS, SMTP, IMAP/POP protocols, postfix, swaks |
8 hours | Exploitation & Lateral Movement. Machines: - Rabbit - SneakyMailer - Reel |
|
11 | Pivoting, Tunneling, and Port Forwarding | 2 days | Exploitation & Lateral Movement | ||
12 | Active Directory Enumeration & Attacks | 7 days | Exploitation & Lateral Movement | ||
13 | Using Web Proxies | Proxies: burpsuite, zap-proxy, proxychains | 8 hours | Web Exploitation | |
14 | Attacking Web Applications with Ffuf | ffuf | 5 hours | Web Exploitation | |
15 | Login Brute Forcing | 6 hours | Web Exploitation | ||
16 | SQL Injection Fundamentals | 8 hours | Web Exploitation | ||
17 | SQLMap Essentials | 8 hours | Web Exploitation | ||
18 | Cross-Site Scripting (XSS) | XSS | 6 hours | Web Exploitation | |
19 | File Inclusion | 8 hours | Web Exploitation | ||
20 | File Upload Attacks | 8 hours | Web Exploitation | ||
21 | Command Injections | 6 hours | Web Exploitation | ||
22 | Web Attacks | Web exploitation | 2 days | Web Exploitation | |
23 | Attacking Common Applications | 4 days | Web Exploitation | ||
24 | Linux Privilege Escalation | 8 hours | Post-Exploitation | ||
25 | Windows Privilege Escalation | 4 days | Post-Exploitation | ||
26 | Documentation & Reporting | 2 days | Reporting & Capstone | ||
27 | Attacking Enterprise Networks | 2 days | Reporting & Capstone |
Practicing Steps
Starting point:
- 2x Modules: The modules chosen should be categorized according to
two different difficulties
:technical
andoffensive
. - 3x Retired Machines: we recommend choosing
two easy
andone medium
machines. At the end of each module, you will find recommended retired machines to consider that will help you practice the specific tools and topics covered in the module. These hosts will share one or more attack vectors tied to the module. - 5x Active Machines: After building a good foundation with the modules and the retired machines, we can venture to
two easy
,two medium
, andone hard
active machine. We can also take these from the corresponding module recommendations at the end of each module in Academy. - 1x Pro Lab / Endgame: These labs are large multi-host environments that often simulate enterprise networks of varying sizes similar to those we could run into during actual penetration tests for our clients.