1. The Practice of Cybersecurity
●​ Description: This unit explores the foundational elements of cybersecurity,
differentiating it from information security and outlining the concepts of offensive
and defensive security strategies. It also delves into security models and risk
assessment, which are crucial for understanding how to protect systems and
data.
●​ Topics:​
○​ Cybersecurity Fundamentals
○​
○​ Cybersecurity vs. Information Security
○​
○​ Offensive Security vs. Defensive Security
○​
○​ Security Models and Risk Assessment
○​
●​ Learning Guidance:​
○​ Understand the core definitions and principles.
○​
○​ Learn to differentiate between cybersecurity and information security.
○​
○​ Study different security models (e.g., CIA triad).
○​
○​ Learn how to conduct basic risk assessments.
○​
●​ Related Informational Context:​
○​ Basic networking concepts
○​
○​ Operating system fundamentals
○​
○​ NIST Cybersecurity Framework
○​
○​ SANS Institute resources
○​
●​ Learning Objectives:​
○​ Recognize the challenges unique to information security.
○​
○​ Understand how "offensive" and "defensive" security reflect each other.
○​
○​ Begin to build a mental model of useful mindsets applicable to information
security.
○​
●​ Guided Questions:​
○​ Cybersecurity Fundamentals:
■​ What are the fundamental principles and goals of cybersecurity?
■​
■​ Explain the importance of cybersecurity in today's digital landscape.
■​
■​ What are the core components of cybersecurity, and how do they
differ from those of information security?
■​
○​ Cybersecurity vs. Information Security:
■​ What are the key differences between cybersecurity and information
security?
■​
■​ Provide examples to illustrate the distinct focus of each field.
■​
○​ Offensive Security vs. Defensive Security:
■​ Describe the concepts of offensive security and defensive security.
■​
■​ Explain how these two approaches complement each other.
■​
■​ Give examples of tools and techniques used in each.
■​
■​ Explain the relationship between offensive and defensive security
strategies. Provide examples of tools and techniques used in each.
■​
○​ Security Models and Risk Assessment:
■​ Explain the purpose of security models in cybersecurity.
■​
■​ Describe the CIA triad model and its components.
■​
■​ What are the steps involved in conducting a risk assessment?
■​
■​ How do you prioritize risks based on their likelihood and impact?
■​
■​ How is a risk assessment conducted, and what are the key factors
that must be considered?
■​
■​ Can you describe a scenario where a security model, such as the
CIA triad, would be applied to protect data?
■​
○​ What are some of the challenges that are unique to information security?
○​
○​ How can an understanding of offensive security enhance defensive
security practices, and vice versa?
○​
○​ In what ways can an individual develop a useful mindset for approaching
information security challenges?
○​
2. Threats and Threat Actors
●​ Description: This unit focuses on identifying potential threats and understanding
the motivations and methods of various threat actors. It covers different attack
vectors and the importance of understanding risks, threats, vulnerabilities, and
exploits.
●​
●​ Topics:
○​ Attack Vectors: Malware, Ransomware, Phishing, Social Engineering
○​
○​ Types of Threat Actors: Script Kiddies, Hacktivists, Cybercriminals, APT
Groups
○​
○​ Understanding Risks, Threats, Vulnerabilities, and Exploits
○​
○​ Case Studies of Recent Cyber Attacks
○​
●​ Learning Guidance:
○​ Study common attack vectors and how they are used.
○​
○​ Learn to classify different threat actors based on their motives.
○​
○​ Understand the relationships between risks, threats, vulnerabilities, and
exploits.
○​
○​ Analyze case studies of cyber attacks to understand real-world
applications.
○​
●​ Related Informational Context:
○​ Knowledge of current cyber events and trends
○​
○​ Basic understanding of malware types
○​
○​ MITRE ATT&CK framework
○​
○​ Security blogs and news websites
○​
●​ Learning Objectives:
○​ Understand how attackers and defenders learn from each other.
○​
○​ Understand the differences between risks, threats, vulnerabilities, and
exploits.
○​
○​ List and describe different classes of threat actor.
○​
○​ Recognize some recent cybersecurity attacks.
○​
●​ Guided Questions:
○​ Attack Vectors: Malware, Ransomware, Phishing, Social Engineering:
■​ Define malware and give examples of different malware types.
■​
■​ Explain how ransomware works and its impact on victims.
■​
■​ Describe phishing techniques and how they are used to deceive
individuals.
■​
■​ What is social engineering, and what are some common social
engineering tactics?
■​
■​ What are the differences between malware, ransomware, phishing,
and social engineering? Give examples of each.
■​
○​ Types of Threat Actors: Script Kiddies, Hacktivists, Cybercriminals, APT
Groups:
■​ Describe the characteristics and motivations of script kiddies.
■​
■​ What are hacktivists, and what are their typical goals?
■​
■​ Explain the motivations and activities of cybercriminals.
■​
■​ What are APT groups, and what are their typical targets and
methods?
■​
■​ How do the motivations and goals differ between script kiddies,
hacktivists, cybercriminals, and APT groups?
■​
○​ Understanding Risks, Threats, Vulnerabilities, and Exploits:
■​ Define risk, threat, vulnerability, and exploit.
■​
■​ Explain the relationships between these concepts.
■​
■​ Provide an example to illustrate how they relate to each other in a
cybersecurity incident.
■​
■​ Explain the relationship between risk, threat, vulnerability, and
exploit with an example.
■​
○​ Case Studies of Recent Cyber Attacks:
■​ Identify a recent cyber attack and describe the attack vector used.
■​
■​ What type of threat actor was involved in the attack?
■​
■​ What was the impact of the attack on the victims?
■​
■​ What are some recent high-profile cyber attacks, and what attack
vectors and threat actors were involved?
■​
○​ In what ways do attackers and defenders learn from each other in the
ongoing cybersecurity landscape?
○​
○​ How can understanding the different classes of threat actors inform the
development of more effective cybersecurity defenses?
○​
○​ What steps can an organization take to stay informed about and protect
against recent cybersecurity attacks?
○​
3. Cybersecurity Principles
●​ Description: This unit covers the fundamental principles that guide cybersecurity
practices. It includes the CIA Triad, defense in depth, threat intelligence, risk
management, and cybersecurity laws, regulations, and compliance.
●​
●​ Topics:
○​ The CIA Triad (Confidentiality, Integrity, Availability)
○​
○​ Defense in Depth: Layered Security Approaches
○​
○​ Threat Intelligence and Risk Management
○​
○​ Cybersecurity Laws, Regulations, and Compliance (GDPR, HIPAA, PCI-DSS,
NIST, ISO 27001)
○​
○​ Career Opportunities in Cybersecurity
○​
●​ How to Learn:
○​ Thoroughly understand the CIA Triad and its applications.
○​
○​ Learn different defense in depth strategies.
○​
○​ Study key laws, regulations, and compliance standards.
○​
○​ Research various career paths within cybersecurity.
○​
○​ Explain the components of the CIA Triad.
○​
○​ Describe the defense in depth strategy and provide examples.
○​
○​ Define threat intelligence and risk management.
○​
○​ Identify key cybersecurity laws, regulations, and compliance standards.
○​
●​ Related Informational Context:
○​ Knowledge of organizational security policies
○​
○​ Awareness of legal and ethical considerations in cybersecurity
○​
○​ Legal resources on cybersecurity laws
○​
○​ Industry-specific compliance documentation
○​
●​ Learning Objectives:
○​ Understand the importance of multiple layers of defense in a security
strategy.
○​
○​ Describe threat intelligence and its applications in an organization.
○​
○​ Learn why access and user privileges should be restricted as much as
possible.
○​
○​ Understand why security should not depend on secrecy.
○​
○​ Identify policies that can mitigate threats to an organization.
○​
○​ Determine which controls an organization can use to mitigate cybersecurity
threats.
○​
○​ Gain a broad understanding of various legal and regulatory issues
surrounding cybersecurity.
○​
○​ Understand different frameworks and standards that help organizations
orient their cybersecurity activities.
○​
○​ Identify career opportunities in cybersecurity.
●​ Guided Questions:
○​ The CIA Triad (Confidentiality, Integrity, Availability):
■​ Define confidentiality, integrity, and availability.
■​ Provide examples of how each component of the CIA Triad is
implemented in practice.
■​ Explain each component of the CIA Triad and provide examples of
how they are applied in
4. Information Gathering
●​ Description: This section covers the critical phase of information gathering in
penetration testing. It includes both passive and active reconnaissance techniques.
●​ Topics:​
○​ Passive Information Gathering (OSINT): Google Dorking, WHOIS & DNS
Enumeration, Email and Social Media Recon, Shodan, Censys, and Public Data
Mining
○​
○​ Active Information Gathering: Nmap, Masscan, Service Enumeration (SMB,
SNMP, SMTP, HTTP), Banner Grabbing & Fingerprinting
○​
●​ Learning Guidance:​
○​ Learn different passive and active information gathering approaches.
○​
○​ Practice using OSINT tools and techniques, including Google Dorking, WHOIS,
DNS enumeration, TheHarvester, Maltego, Shodan, and Censys.
○​
○​ Understand how to gather information from web servers and DNS.
○​
○​ Master the use of Nmap and Masscan for port scanning.
○​
○​ Learn how to enumerate services such as SMB, SNMP, SMTP, and HTTP.
○​
○​ Practice banner grabbing and fingerprinting to identify services and operating
systems.
●​ Related Informational Context:​
○​ Understanding of DNS records and domain structures
○​
○​ Familiarity with online search techniques
○​
○​ Networking protocols (TCP/IP)
○​
○​ Understanding of network services
○​
●​ Additional Information Sources:​
○​ OSINT Framework
○​
○​ Books and websites on open source intelligence
○​
○​ Nmap documentation and tutorials
○​
○​ Online resources on service enumeration
○​
●​ Learning Objectives:​
○​ Understand the two different Passive Information Gathering approaches.
○​
○​ Learn about Open Source Intelligence (OSINT).
○​
○​ Understand Web Server and DNS passive information gathering.
○​
○​ Learn to perform Netcat and Nmap port scanning.
○​
○​ Conduct DNS, SMB, SMTP, and SNMP Enumeration.
○​
●​ Guided Questions:​
○​ Passive Information Gathering Approaches:
■​ What are some different approaches to passive information gathering?
■​
■​ Provide examples of techniques used in each approach.
■​
■​ What are the two different Passive Information Gathering approaches?
■​ What types of information can be obtained through passive information
gathering?
■​
○​ Open Source Intelligence (OSINT):
●​
●​
●​
●​
●​
●​
●​
■​ What is Open Source Intelligence (OSINT)?
■​
■​ What are some tools and resources that can be used for OSINT
gathering?
■​
■​ What are some tools and resources used for OSINT gathering?
■​
○​ Web Server and DNS Passive Information Gathering:
■​ Understand Web Server and DNS passive information gathering.
■​
■​ How can you gather information from web servers using passive
techniques?
■​
■​ How can you gather information from DNS using passive techniques?
■​
○​ Active Information Gathering: Netcat and Nmap Port Scanning:
■​ Learn to perform Netcat and Nmap port scanning.
■​
■​ How can Netcat be used for port scanning?
■​
■​ How can Nmap be used for port scanning?
■​
■​ What are the differences between Netcat and Nmap?
■​
○​ Enumeration: DNS, SMB, SMTP, and SNMP:
■​ Conduct DNS, SMB, SMTP, and SNMP Enumeration.
■​
■​ What is DNS enumeration, and how is it performed?
■​
■​ What is SMB enumeration, and what information can be obtained?
■​
■​ What is SMTP enumeration, and how is it used?
■​
■​ What is SNMP enumeration, and what information can be gathered?
"What is the purpose of a domain controller in Active Directory?"
"How can you identify the domain controllers for a specific Active Directory domain?"
"Explain the role of DNS in Active Directory and how it can be used for reconnaissance."
"What information can be obtained through LDAP enumeration in Active Directory?"
"How can you use enum4linux to gather information about users, groups, and policies
in Active Directory?"
"What is the purpose of Service Principal Names (SPNs) in Active Directory, and how
can they be enumerated?"
"How does BloodHound help in visualizing and understanding Active Directory
relationships and attack paths?"
●​ "What are Active Directory trusts, and how can they be enumerated and potentially
exploited?"
●​
5. Vulnerability Scanning
●​ Description: This section focuses on identifying vulnerabilities in systems and
applications using various scanning tools and techniques.
●​ Topics:
○​ Vulnerability Scanning: Living off the Land Techniques, Vulnerability Scanning
Process, Types of Vulnerability Scans, Vulnerability Scan Considerations
○​ Vulnerability Scanning with Nessus: Nessus Installation, Nessus Components
and Plugins, Authenticated Vulnerability Scans
○​ Vulnerability Scanning with Nmap: Nmap Scripting Engine (NSE), Lightweight
Vulnerability Scanning with Nmap, Custom NSE Scripts
○​ CVE Analysis, Exploit-DB and SearchSploit
●​ How to Learn:
○​ Understand "Living off the Land" techniques.
○​ Gain a basic understanding of the Vulnerability Scanning process.
○​ Learn about the different types of Vulnerability Scans.
○​ Understand the considerations of a Vulnerability Scan.
○​
○​ Install Nessus.
○​ Understand the different Nessus Components.
○​ Configure and perform a vulnerability scan.
○​ Understand and work with the results of a vulnerability scan with Nessus.
○​ Provide credentials to perform an authenticated vulnerability scan.
○​
○​ Gain a basic understanding of Nessus Plugins.
○​ Understand the basics of the Nmap Scripting Engine.
○​
○​ Gain a basic understanding of vulnerability scanning with Nmap.
○​ Learn how to use the Nmap Scripting Engine (NSE).
○​ Perform lightweight vulnerability scanning with Nmap.
○​ Work with custom NSE scripts.
○​ CVE analysis and using resources like Exploit-DB and SearchSploit.
●​ Related Informational Context:
○​ Knowledge of system administration
○​ Familiarity with common vulnerabilities and exposures (CVEs)
●​ Additional Information Sources:
○​ Nessus documentation and tutorials
○​ Nmap NSE documentation
○​ Exploit-DB and SearchSploit resources
○​ Online vulnerability databases
●​ Learning Objectives:
○​ Describe the vulnerability scanning process.
○​ Explain the different types of vulnerability scans.
○​ Discuss considerations when performing a vulnerability scan.
○​ Install Nessus and describe its components.
○​ Perform authenticated vulnerability scans with Nessus.
○​ Understand the purpose and usage of Nessus plugins.
○​ Understand the basics of the Nmap Scripting Engine (NSE).
○​ Perform vulnerability scanning with Nmap.
○​ Utilize custom NSE scripts for specific vulnerability checks.
○​ Conduct CVE analysis and utilize resources like Exploit-DB and SearchSploit.
●​ Guided Questions:
○​ Vulnerability Scanning: Living off the Land Techniques, Vulnerability Scanning
Process, Types of Vulnerability Scans, Vulnerability Scan Considerations
■​ What are "Living off the Land" techniques in the context of vulnerability
scanning, and why are they important?
■​ Describe the typical vulnerability scanning process, from planning to
reporting.
■​ What are the different types of vulnerability scans (e.g., authenticated vs.
unauthenticated, internal vs. external), and what are the pros and cons of
each?
■​ What factors should be considered before and during a vulnerability scan,
such as scope, impact, and potential disruptions?
○​ Vulnerability Scanning with Nessus: Nessus Installation, Nessus Components
and Plugins, Authenticated Vulnerability Scans
■​ How do you install and configure Nessus?
■​ What are the key components of Nessus (e.g., server, client, plugins), and
what is the function of each?
■​ What are plugins in Nessus, how are they managed, and how do they
contribute to the scanning process?
■​ How do authenticated and unauthenticated scans differ in Nessus, and
what are the requirements for performing authenticated scans?
■​ How do you perform an authenticated vulnerability scan using Nessus,
and why is it generally more effective than an unauthenticated scan?
■​ How do you interpret and analyze the results of a Nessus scan, and how
do you prioritize vulnerabilities for remediation?
○​ Vulnerability Scanning with Nmap: Nmap Scripting Engine (NSE), Lightweight
Vulnerability Scanning with Nmap, Custom NSE Scripts
■​ What is the Nmap Scripting Engine (NSE), and how does it extend
Nmap's functionality?
■​ How can Nmap be used for vulnerability scanning, beyond basic port
scanning?
■​ How can you perform lightweight vulnerability scanning with Nmap to
quickly identify potential issues?
●​
●​
●​
●​
●​
■​ How can you use or create custom NSE scripts for specific vulnerability
checks or to automate vulnerability assessments?
○​ CVE Analysis, Exploit-DB and SearchSploit
■​ What is a CVE (Common Vulnerabilities and Exposures), and how is it
used in vulnerability management and tracking?
■​ How can Exploit-DB and SearchSploit be used to find information about
known vulnerabilities, exploits, and proof-of-concept code?
■​ How do you analyze a CVE to determine its potential impact,
exploitability, and relevance to a specific system or environment?
■​ How can you use information from Exploit-DB or SearchSploit responsibly
and ethically during a penetration test?
○​ What are some common challenges encountered during vulnerability scanning,
such as false positives, false negatives, and scan interference, and how can they
be addressed?
○​ How can the results of a vulnerability scan be used to prioritize remediation
efforts and improve the overall security posture of an organization?
○​ How does vulnerability scanning fit into a broader vulnerability management
program?
○​ What are some legal and ethical considerations related to vulnerability scanning,
especially when performed on systems you do not own?
"What is Kerberoasting, and how can it be used to obtain password hashes in Active
Directory?"
"What is AS-REP roasting, and how does it differ from Kerberoasting?"
"How can Group Policy Objects (GPOs) be misconfigured, and what security risks can
result from these misconfigurations?"
"How can you use Nmap scripts to scan for Active Directory vulnerabilities, such as
those related to Kerberos or LDAP?"
"What are some common vulnerabilities associated with LDAP, and how can they be
exploited?"
●​
6. Exploitation
●​ Description: This section delves into the techniques used to exploit identified
vulnerabilities to gain unauthorized access to systems.
●​ Topics:
○​ Exploitation Frameworks: Metasploit Framework, SearchSploit
○​ Manual Exploitation: Understanding Exploits, Developing Exploits, Shellcode
○​ Client-Side Exploitation: Browser-Based Exploits, Document Exploits
○​ Web Application Exploitation: SQL Injection, Cross-Site Scripting (XSS),
Command Injection
○​ Buffer Overflows: Stack-Based Buffer Overflows
●​ How to Learn:
○​ Understand the basics of exploitation.
○​ Learn how to use the Metasploit Framework.
●​
●​
●​
●​
○​ Use SearchSploit to find exploits.
○​ Understand the different components of an exploit.
○​ Learn how to manually develop exploits.
○​ Understand the concept of shellcode.
○​ Learn about different client-side exploitation methods.
○​ Understand browser-based exploits.
○​ Understand document exploits.
○​ Learn about different web application exploitation methods.
○​ Understand SQL Injection.
○​ Understand Cross-Site Scripting (XSS).
○​ Understand Command Injection.
○​ Learn about Buffer Overflows.
○​ Understand Stack-Based Buffer Overflows.
Related Informational Context:
○​ Knowledge of programming concepts
○​ Understanding of operating system internals
○​ Web application security principles
Additional Information Sources:
○​ Metasploit documentation
○​ Exploit-DB
○​ OWASP resources on web application security
○​ Books and tutorials on exploit development
Learning Objectives:
○​ Understand how to use exploitation frameworks like Metasploit.
○​ Learn to find and utilize exploits from resources like Exploit-DB.
○​ Gain knowledge of manual exploitation techniques and exploit development.
○​ Understand the concept of shellcode and its role in exploitation.
○​ Learn about client-side exploitation methods, including browser-based and
document exploits.
○​ Understand common web application vulnerabilities like SQL Injection, XSS, and
Command Injection.
○​ Learn about buffer overflows and how they can be exploited.
Guided Questions:
○​ Exploitation Frameworks: Metasploit Framework, SearchSploit
■​ What is the Metasploit Framework, and how is it used in penetration
testing?
■​ How can SearchSploit be used to find exploits for known vulnerabilities?
■​ What are the advantages and disadvantages of using exploitation
frameworks versus manual exploitation?
○​ Manual Exploitation: Understanding Exploits, Developing Exploits, Shellcode
■​ What are the key components of an exploit?
■​ What are the basic steps involved in developing a simple exploit?
■​ What is shellcode, and what is its purpose in exploitation?
●​
●​
●​
●​
●​
●​
●​
●​
●​
■​ Explain the process of manual exploitation and the importance of
understanding exploit mechanics.
○​ Client-Side Exploitation: Browser-Based Exploits, Document Exploits
■​ What are client-side exploits, and how do they differ from server-side
exploits?
■​ How can browser-based vulnerabilities be exploited?
■​ How can document vulnerabilities (e.g., in PDF or Office files) be
exploited?
■​ Describe the techniques used in browser-based and document exploits.
○​ Web Application Exploitation: SQL Injection, Cross-Site Scripting (XSS),
Command Injection
■​ What is SQL Injection, and how can it be used to compromise a
database?
■​ What is Cross-Site Scripting (XSS), and what are the different types of
XSS attacks?
■​ What is Command Injection, and how can it be used to execute arbitrary
commands on a server?
■​ Explain the principles behind SQL Injection, XSS, and Command Injection
attacks.
○​ Buffer Overflows: Stack-Based Buffer Overflows
■​ What is a buffer overflow, and how does it occur?
■​ What is a stack-based buffer overflow, and how can it be exploited?
■​ What are the challenges involved in exploiting buffer overflows?
■​ Describe the mechanics of a stack-based buffer overflow and how it can
be leveraged for code execution.
What are some common challenges encountered during the exploitation phase of a
penetration test?
How can you mitigate the risks associated with client-side and web application
vulnerabilities?
What ethical considerations should be kept in mind when performing exploitation
activities?
"How can you exploit Kerberoasting or AS-REP roasting to obtain user credentials and
gain initial access to Active Directory?"
"Explain how the 'Pass the Hash' and 'Pass the Ticket' attacks work in an Active
Directory environment and how they can be used to move laterally."
"How can you use Metasploit modules to exploit Active Directory vulnerabilities?"
"What is the purpose of Impacket, and how can it be used for Active Directory
exploitation?"
"What is Mimikatz, and what are its capabilities in extracting credentials and other
sensitive information from Active Directory?"
"Explain how you can use tools and techniques to achieve domain administrator
privileges in an Active Directory environment."
7. Post-Exploitation
●​ Description: This section covers the actions taken after successfully exploiting a system
to maintain access, gather further information, and achieve objectives.
●​ Topics:
○​ Post-Exploitation Fundamentals
○​ Basic Linux Post-Exploitation
○​ Basic Windows Post-Exploitation
○​ Privilege Escalation
●​ How to Learn:
○​ Understand the fundamentals of post-exploitation.
○​ Learn basic Linux post-exploitation techniques.
○​ Learn basic Windows post-exploitation techniques.
○​ Understand the concept of Privilege Escalation.
●​ Related Informational Context:
○​ Operating system concepts (Linux and Windows)
○​ File system navigation
○​ User and group management
○​ Common system commands
●​ Additional Information Sources:
○​ Online resources on post-exploitation
○​ Linux and Windows system administration documentation
○​ Privilege escalation guides
●​ Learning Objectives:
○​ Understand the goals and techniques of post-exploitation.
○​ Perform basic post-exploitation tasks on Linux systems.
○​ Perform basic post-exploitation tasks on Windows systems.
○​ Understand the concept of privilege escalation and its importance.
●​ Guided Questions:
○​ Post-Exploitation Fundamentals
■​ What are the fundamental goals of post-exploitation in a penetration test?
■​ What are some common initial steps taken after gaining access to a
system?
■​ What are some common post-exploitation tasks?
○​ Basic Linux Post-Exploitation
■​ What are some basic Linux commands used for post-exploitation?
■​ How can you gather system information on a compromised Linux host?
■​ How can you transfer files to and from a compromised Linux host?
■​ What are some common directories and files of interest during Linux
post-exploitation?
○​ Basic Windows Post-Exploitation
■​ What are some basic Windows commands used for post-exploitation?
■​ How can you gather system information on a compromised Windows
host?
■​ How can you transfer files to and from a compromised Windows host?
●​
●​
●​
●​
●​
●​
■​ What are some common directories and files of interest during Windows
post-exploitation?
○​ Privilege Escalation
■​ What is privilege escalation, and why is it important in penetration testing?
■​ What are some common methods for privilege escalation on Linux?
■​ What are some common methods for privilege escalation on Windows?
■​ Describe the concept of Privilege Escalation.
■​ What are some common privilege escalation techniques on both Linux
and Windows systems?
○​ What are some important considerations for maintaining persistence on a
compromised system?
○​ How can you use post-exploitation techniques to gather evidence or pivot to
other systems?
○​ What are the ethical considerations related to post-exploitation activities?
"How can you achieve persistence in Active Directory after gaining domain administrator
privileges (e.g., creating rogue domain controllers, using WMI persistence)?"
"What is the NTDS.dit file, and how can it be dumped to obtain password hashes for all
domain users?"
"Explain the concept of a Golden Ticket and how it can be used to gain persistent and
unrestricted access to Active Directory."
"What is a Silver Ticket, and how does it differ from a Golden Ticket?"
"How can you use post-exploitation techniques to move laterally within an Active
Directory domain and compromise additional systems?"
"How can you use PowerShell for post-exploitation tasks in Active Directory, such as
querying information, creating users, or modifying group memberships?"
●​
8. Password Attacks
●​ Description: This section covers techniques for cracking passwords to gain
unauthorized access to accounts and systems.
●​ Topics:
○​ Password Cracking
○​ Password Hashes
○​ Password Cracking Tools
○​ Online Password Attacks
●​ How to Learn:
○​ Understand the basics of password cracking.
○​ Learn about password hashes and how they are used.
○​ Learn how to use password cracking tools.
○​ Understand online password attacks.
●​ Related Informational Context:
○​ Cryptography basics
○​ Authentication mechanisms
○​ Common password policies
●​ Additional Information Sources:
○​ Documentation for password cracking tools (e.g., John the Ripper, Hashcat)
○​ Online resources on password security
●​ Learning Objectives:
○​ Understand the principles of password cracking.
○​ Learn about different types of password hashes.
○​ Use common password cracking tools effectively.
○​ Understand the techniques used in online password attacks.
●​ Guided Questions:
○​ Password Cracking
■​ What is password cracking, and what are the different types of password
attacks?
■​ What are the objectives of password cracking in a penetration test?
■​ What are the ethical considerations surrounding password cracking?
○​ Password Hashes
■​ What is a password hash, and why are hashes used to store passwords?
■​ What are some common hashing algorithms used for passwords?
■​ What are the differences between various password hashing algorithms?
○​ Password Cracking Tools
■​ What are some common password cracking tools?
■​ How do tools like John the Ripper and Hashcat work?
■​ How can you optimize password cracking using tools like Hashcat or John
the Ripper?
○​ Online Password Attacks
■​ What are online password attacks?
■​ What are some common online password attack techniques (e.g.,
brute-force, dictionary attacks)?
■​ How can online password attacks be mitigated?
■​ How should credentials and password attacks be treated in Challenge
Labs?
■​ How to use the password cracking skills that are being taught within these
simulated environments.
○​ What are rainbow tables, and how are they used in password cracking?
○​ What are some common password vulnerabilities that make passwords easier to
crack?
○​ How can organizations improve their password security practices?
9. The OSCP Penetration Testing Methodology
●​ Description: This section outlines a structured approach to penetration testing,
providing a framework for conducting effective assessments.
●​ Topics:
○​ Penetration Testing Phases
○​ Scoping and Rules of Engagement
○​ Documentation and Reporting
●​ How to Learn:
○​ Understand the different phases of a penetration test.
○​ Learn about scoping and rules of engagement.
○​ Understand the importance of documentation and reporting.
●​ Related Informational Context:
○​ Industry best practices for penetration testing
○​ Legal and ethical considerations in penetration testing
●​ Additional Information Sources:
○​ Penetration testing methodologies (e.g., NIST, PTES)
○​ Legal resources on ethical hacking
●​ Learning Objectives:
○​ Understand the key phases of a penetration testing engagement.
○​ Learn how to define the scope and rules of engagement for a penetration test.
○​ Understand the importance of clear and comprehensive documentation and
reporting.
●​ Guided Questions:
○​ Penetration Testing Phases
■​ What are the typical phases of a penetration testing methodology?
■​ Describe the activities performed in each phase of a penetration test.
■​ What is the importance of following a structured penetration testing
methodology?
○​ Scoping and Rules of Engagement
■​ What is the importance of scoping in a penetration test?
■​ What are rules of engagement, and why are they necessary?
■​ What elements should be included in a scope of work and rules of
engagement document?
○​ Documentation and Reporting
■​ Why is documentation important in penetration testing?
■​ What information should be included in a penetration test report?
■​ What are the key components of a comprehensive penetration testing
report?
○​ How does the OSCP methodology differ from other penetration testing
methodologies?
○​ What are some common challenges encountered during each phase of a
penetration test?
○​ How can you ensure that a penetration test is conducted ethically and legally?
10. Linux Essentials
●​ Description: This section provides essential knowledge of the Linux operating system,
which is commonly encountered in penetration testing.
●​ Topics:
○​ Linux Fundamentals
○​ Navigating the Linux Filesystem
○​ Linux Commands
●​
●​
●​
●​
●​
○​ File Permissions
○​ Basic Bash Scripting
How to Learn:
○​ Understand the basics of the Linux operating system.
○​ Learn how to navigate the Linux filesystem.
○​ Learn essential Linux commands.
○​ Understand Linux file permissions.
○​ Learn the basics of Bash scripting.
Related Informational Context:
○​ Operating system concepts
○​ Command-line interfaces
Additional Information Sources:
○​ Linux documentation and tutorials
○​ Online resources for learning Linux
Learning Objectives:
○​ Understand the basic architecture and concepts of Linux.
○​ Navigate the Linux filesystem using the command line.
○​ Use essential Linux commands for file manipulation, system administration, and
other tasks.
○​ Understand how Linux file permissions work and how to manage them.
○​ Write basic Bash scripts to automate tasks.
Guided Questions:
○​ Linux Fundamentals
■​ What are the fundamental components of the Linux operating system?
■​ What are some key differences between Linux and other operating
systems?
■​ What is the Linux kernel, and what role does it play?
○​ Navigating the Linux Filesystem
■​ How do you navigate the Linux filesystem using the command line?
■​ What are some important directories in the Linux filesystem (e.g., /,
/home, /etc)?
■​ What commands are used to list, create, delete, and move files and
directories?
○​ Linux Commands
■​ What are some essential Linux commands for file manipulation (e.g., cp,
mv, rm)?
■​ What are some important Linux commands for system administration
(e.g., ps, top, systemctl)?
■​ What commands are used for searching within files and directories (e.g.,
grep, find)?
○​ File Permissions
■​ How do Linux file permissions work?
■​ What are the different types of file permissions (read, write, execute)?
■​ How can you change file permissions using the chmod command?
○​ Basic Bash Scripting
■​ What is Bash scripting, and why is it useful?
■​ What are some basic elements of a Bash script (e.g., variables, loops,
conditional statements)?
■​ How can you execute a Bash script?
○​ Why is a strong understanding of Linux essential for penetration testing?
○​ What are some common Linux security configurations that penetration testers
should be aware of?
○​ How can you use Linux commands and scripting to automate penetration testing
tasks?
11. Windows Essentials
●​ Description: This section provides essential knowledge of the Windows operating
system, which is also commonly encountered in penetration testing.
●​ Topics:
○​ Windows Fundamentals
○​ Navigating the Windows Filesystem
○​ Windows Commands
○​ File Permissions
○​ Basic PowerShell Scripting
●​ How to Learn:
○​ Understand the basics of the Windows operating system.
○​ Learn how to navigate the Windows filesystem.
○​ Learn essential Windows commands.
○​ Understand Windows file permissions.
○​ Learn the basics of PowerShell scripting.
●​ Related Informational Context:
○​ Operating system concepts
○​ Command-line interfaces (Command Prompt and PowerShell)
●​ Additional Information Sources:
○​ Windows documentation and tutorials
○​ Online resources for learning Windows
●​ Learning Objectives:
○​ Understand the basic architecture and concepts of Windows.
○​ Navigate the Windows filesystem using the command line (Command Prompt
and PowerShell).
○​ Use essential Windows commands for file manipulation, system administration,
and other tasks.
○​ Understand how Windows file permissions work and how to manage them.
○​ Write basic PowerShell scripts to automate tasks.
●​ Guided Questions:
○​ Windows Fundamentals
■​ What are the fundamental components of the Windows operating
system?
○​
○​
○​
○​
○​
○​
○​
■​ What are some key differences between Windows and other operating
systems?
■​ What is the Windows kernel, and what role does it play?
Navigating the Windows Filesystem
■​ How do you navigate the Windows filesystem using the command line
(Command Prompt and PowerShell)?
■​ What are some important directories in the Windows filesystem (e.g., C:\,
Program Files, Users)?
■​ What commands are used to list, create, delete, and move files and
directories in both Command Prompt and PowerShell?
Windows Commands
■​ What are some essential Windows commands for file manipulation (e.g.,
copy, move, del)?
■​ What are some important Windows commands for system administration
(e.g., tasklist, taskkill, netstat)?
■​ What are some common PowerShell cmdlets for managing files and
directories?
File Permissions
■​ How do Windows file permissions work?
■​ What are the different types of file permissions (e.g., Read, Write,
Execute, Full Control)?
■​ How can you manage file permissions in Windows?
Basic PowerShell Scripting
■​ What is PowerShell scripting, and why is it useful?
■​ What are some basic elements of a PowerShell script (e.g., variables,
loops, conditional statements)?
■​ How can you execute a PowerShell script?
Why is a strong understanding of Windows essential for penetration testing?
What are some common Windows security configurations that penetration testers
should be aware of?
How can you use Windows commands and PowerShell scripting to automate
penetration testing tasks?
12. Networking Essentials
●​ Description: This section provides essential knowledge of computer networking, which
is fundamental to understanding how systems communicate and how attacks are carried
out.
●​ Topics:
○​ Networking Fundamentals
○​ TCP/IP Model
○​ IP Addressing
○​ Subnetting
○​ Common Network Protocols
●​ How to Learn:
●​
●​
●​
●​
○​ Understand the basics of computer networking.
○​ Learn about the TCP/IP model.
○​ Understand IP addressing and subnetting.
○​ Learn about common network protocols.
Related Informational Context:
○​ Computer architecture
○​ Network devices
Additional Information Sources:
○​ Networking textbooks and online resources
○​ RFC documents for network protocols
Learning Objectives:
○​ Understand the fundamental concepts of computer networking.
○​ Describe the layers of the TCP/IP model and their functions.
○​ Understand IP addressing, including IPv4 and IPv6.
○​ Perform basic subnetting calculations.
○​ Understand the purpose and function of common network protocols (e.g., HTTP,
HTTPS, DNS, DHCP, SSH, SMB).
Guided Questions:
○​ Networking Fundamentals
■​ What is computer networking, and what are its basic components?
■​ What are the different types of networks (e.g., LAN, WAN)?
■​ What are the benefits of networking?
○​ TCP/IP Model
■​ What is the TCP/IP model?
■​ What are the layers of the TCP/IP model, and what is the function of each
layer?
■​ How does data encapsulation work in the TCP/IP model?
○​ IP Addressing
■​ What is IP addressing?
■​ What are the differences between IPv4 and IPv6?
■​ What are the different classes of IPv4 addresses?
○​ Subnetting
■​ What is subnetting, and why is it used?
■​ How do you perform basic subnetting calculations?
■​ How does subnetting affect network addressing and routing?
○​ Common Network Protocols
■​ What are some common network protocols?
■​ What is the purpose and function of protocols like HTTP, HTTPS, DNS,
DHCP, SSH, and SMB?
■​ What are the common ports associated with these protocols?
○​ Why is a strong understanding of networking essential for penetration testing?
○​ How can you use network analysis tools (e.g., Wireshark, tcpdump) to examine
network traffic?
○​ What are some common network vulnerabilities that penetration testers should
be aware of?
13. Cryptography Essentials
●​ Description: This section provides essential knowledge of cryptography, which is crucial
for understanding secure communication and data protection.
●​ Topics:
○​ Cryptography Fundamentals
○​ Symmetric Cryptography
○​ Asymmetric Cryptography
○​ Hashing Algorithms
●​ How to Learn:
○​ Understand the basic concepts of cryptography.
○​ Learn about symmetric and asymmetric cryptography.
○​ Understand hashing algorithms.
●​ Related Informational Context:
○​ Mathematical concepts related to encryption
○​ Digital certificates and PKI
●​ Additional Information Sources:
○​ Cryptography textbooks and online resources
○​ NIST publications on cryptography
●​ Learning Objectives:
○​ Understand the fundamental principles of cryptography.
○​ Explain the differences between symmetric and asymmetric cryptography.
○​ Understand the purpose and function of hashing algorithms.
○​ Describe common cryptographic algorithms and their use cases.
●​ Guided Questions:
○​ Cryptography Fundamentals
■​ What is cryptography, and what are its main goals?
■​ What are some basic terms used in cryptography (e.g., plaintext,
ciphertext, key, encryption, decryption)?
■​ What is the difference between cryptography and cryptology?
○​ Symmetric Cryptography
■​ What is symmetric cryptography?
■​ How does symmetric encryption work?
■​ What are some common symmetric encryption algorithms (e.g., AES,
DES)?
■​ What are the advantages and disadvantages of symmetric cryptography?
○​ Asymmetric Cryptography
■​ What is asymmetric cryptography?
■​ How does asymmetric encryption work?
■​ What are some common asymmetric encryption algorithms (e.g., RSA,
ECC)?
○​
○​
○​
○​
■​ What are the advantages and disadvantages of asymmetric
cryptography?
Hashing Algorithms
■​ What is a hashing algorithm?
■​ What are the properties of a good hashing algorithm?
■​ What are some common hashing algorithms (e.g., SHA-256, MD5)?
■​ How are hashing algorithms used for security purposes?
How are cryptography and hashing used to protect data integrity and
confidentiality?
What are some common attacks against cryptographic systems?
How does cryptography relate to network security protocols (e.g., TLS, SSL,
SSH)?
14. Web Application Security
●​ Description: This section provides essential knowledge of web application security,
focusing on common vulnerabilities and how to identify and exploit them.
●​ Topics:
○​ Web Application Fundamentals
○​ Common Web Application Vulnerabilities
○​ Web Application Testing Tools
●​ How to Learn:
○​ Understand the basic concepts of web applications.
○​ Learn about common web application vulnerabilities.
○​ Learn how to use web application testing tools.
●​ Related Informational Context:
○​ Web development technologies (HTML, CSS, JavaScript)
○​ Web server architecture
●​ Additional Information Sources:
○​ OWASP (Open Web Application Security Project) resources
○​ Web application security testing tools documentation
●​ Learning Objectives:
○​ Understand the basic architecture and components of web applications.
○​ Identify and describe common web application vulnerabilities (e.g., SQL Injection,
XSS, CSRF).
○​ Use web application testing tools to find vulnerabilities.
○​ Understand how to prevent common web application vulnerabilities.
●​ Guided Questions:
○​ Web Application Fundamentals
■​ What is a web application?
■​ What are the basic components of a web application (e.g., client-side,
server-side, database)?
■​ How do web browsers communicate with web servers?
○​ Common Web Application Vulnerabilities
■​ What is SQL Injection, and how can it be exploited?
○​
○​
○​
○​
■​ What is Cross-Site Scripting (XSS), and what are the different types of
XSS attacks?
■​ What is Cross-Site Request Forgery (CSRF), and how does it work?
■​ What are some other common web application vulnerabilities (e.g.,
Command Injection, Insecure Direct Object References)?
Web Application Testing Tools
■​ What are some common web application testing tools?
■​ How can tools like Burp Suite and OWASP ZAP be used to find
vulnerabilities?
■​ What are the basic steps involved in web application penetration testing?
How can input validation and output encoding be used to prevent web application
vulnerabilities?
What are some common authentication and authorization vulnerabilities in web
applications?
How can you use web application testing techniques to assess the security of
APIs?
15. PWK Challenge Labs
●​ Description: This section provides an overview of the PWK Challenge Labs, designed
to simulate real-world penetration testing scenarios.
●​ Topics:
○​ PWK Challenge Lab Overview
○​ Challenge Lab Details
●​ How to Learn:
○​ Familiarize yourself with the different types of challenge labs.
○​ Practice thinking about dependencies and approaching complex scenarios.
○​ Understand how network configurations and decoy machines can affect your
approach.
●​ Related Informational Context:
○​ Solid understanding of penetration testing methodologies
●​ Additional Information Sources:
○​ OffSec documentation and support
○​ Community forums and discussions
●​ Learning Objectives:
○​ Understand the purpose and structure of the PWK Challenge Labs.
○​ Learn how to approach complex penetration testing scenarios with
dependencies.
○​ Understand the concepts of decoy machines and network configurations in the
labs.
●​ Guided Questions:
○​ PWK Challenge Lab Overview
■​ What is the purpose of the PWK Challenge Labs?
■​ How do the Challenge Labs simulate real-world penetration testing
scenarios?
○​
○​
○​
○​
■​ What are the different types of Challenge Labs?
Challenge Lab Details
■​ What is the concept of dependency in penetration testing labs?
■​ How can you effectively map out and understand machine dependencies?
■​ Why should you disregard IP address ordering in Challenge Labs?
■​ Explain why using IP ordering as a hint for the next step can be harmful.
■​ What are "decoy" machines in the context of Challenge Labs?
■​ Explain how to identify and avoid "decoy" machines.
■​ How do Routers and Network Address Translation (NAT) affect the
scenarios in Challenge Labs?
■​ Describe how NAT will affect your testing methodology.
■​ How should credentials and password attacks be treated in Challenge
Labs?
■​ How to use the password cracking skills that are being taught within these
simulated environments.
What strategies can you use to manage your time effectively in the Challenge
Labs?
How can you use the Challenge Labs to prepare for the OSCP exam?
What are some common mistakes that students make in the Challenge Labs, and
how can they be avoided?
16. The OSCP Exam Information
●​ Description: This section provides information about the OSCP Certification Exam.
●​ Topics:
○​ Learn about the OSCP Certification Exam
●​ Learning Guidance:
○​ Review the exam objectives and format.
○​ Prepare thoroughly by practicing in the labs and reviewing course materials.
●​ Related Informational Context:
○​ Completion of the PWK course and sufficient practice
●​ Additional Information Sources:
○​ OffSec website and exam guide
●​ Learning Objectives:
○​ Understand the format, objectives, and requirements of the OSCP Certification
Exam.
○​ Prepare effectively for the OSCP exam.
●​ Guided Questions:
○​ OSCP Certification Exam information
■​ What is the OSCP Certification Exam, and what does it certify in terms of
skills and knowledge?
■​ What is the format of the OSCP exam, including the types of machines,
scoring, and time constraints?
■​ How should candidates prepare for the OSCP exam, and what are the
key areas to focus on during their preparation?
■​ What are the exam objectives, and what specific skills and concepts will
be tested?
■​ What are some common mistakes that candidates make on the OSCP
exam, and how can they be avoided?
■​ What strategies can candidates use to manage their time effectively
during the OSCP exam?
■​ How can candidates deal with exam-related stress and anxiety?
■​ What are the reporting requirements for the OSCP exam, and how should
candidates document their findings?
■​ What resources are available to help candidates prepare for the OSCP
exam, such as practice exams or study guides?
■​ How can candidates use the PWK labs and Challenge Labs to prepare for
the OSCP exam?
■​ What are some ethical considerations that candidates should keep in
mind during the OSCP exam?
■​ How can candidates improve their problem-solving and critical thinking
skills to succeed on the OSCP exam?
■​ What strategies can candidates use to stay motivated and focused during
the OSCP exam preparation process?
■​ How can candidates use feedback from practice exams or lab exercises
to improve their performance on the OSCP exam?
■​ What are some effective methods for reviewing course materials and
notes in preparation for the OSCP exam?