Hacker Methodologies for Security Professionals (HMSP)

Course Overview

Mainstream media coverage of hacker groups and their exploits have left the public thinking that all of cyber security is black magic. While many attacks involve some advanced networking and coding techniques, the majority of compromises are carried out by much less sophisticated attackers. The majority of these individuals have learned the process of compromising servers and networks in the same way that all of us have learned technology: by researching online. The days of creating and compiling your own exploit code are long since past. Most attackers are using “point and pwn” utilities like Armitage, Cain & Able, and the Social Engineers Toolkit (SET) to cause havoc for organizations worldwide.

We believe that to emulate the various cyber threat vectors, it is critical to understand what most attacks have in common: their methodology. Bringing together decades of experience in government, commercial and academic cyber security training and consulting, our instructors have developed and implemented multiple threat emulation methodologies. While methodologies change over time to account for new technologies and techniques, the concepts involved remain constant. This course provides a flexible methodology for use in emulating external and internal network intrusion threat vectors.

5 days
    • Impact and Relevance of Today’s Cyber Attacks
    • Reconnaissance Techniques Used by Most Intruders
    • Network, Host and Service Discovery Methods
    • Processes Employed to Enumerate System and User Information
    • How System Vulnerabilities are Identified
    • Multiple Tactics Used to Penetrate Systems
    • Various Techniques to Escalate System Privileges
    • Password Cracking
    • Network Presence Expansion Through Pivoting
    • How to Leverage Local Access for Maximum Compromise
  • DAY 1: Footprinting

    • WHOIS and DNS Enumeration
      • Structure of Registrations Organizations
      • Record Privacy Features
    • DNS Interrogation
      • Protocol Summary
      • Query Types
      • Zone Transfers / Reverse Lookups
    • Open Source INTelligence (OSINT)
      • Manual Methods
      • Automated Utilities


    • Host Discovery
      • ICMP Utilities
      • TCP Utilities
      • UDP Utilities
    • Service Discovery
      • TCP Port Scanning
      • UDP Port Scanning
      • Enumeration
    • Banner Grabbing
      • Simple Services
      • HTTP / Web Servers
      • UDP Based Services
    • Operating System Detection
      • Passive Methods
      • Active Methods
    • Vulnerability Scanning
      • Commercial Tools
      • Open Source Tools

    DAY 2: System Hacking (Windows)

    • Domain Enumeration
      • Passive Enumeration
      • Active Enumeration
    • User Enumeration
      • Windows SIDs
      • User Policy Enumeration
    • Penetration
      • Brute Force Attacks
      • Vulnerability Exploitation
      • Client Application Attacks
    • Privilege Escalation
      • Abusing Mis-configured Services
      • WMIC
      • Sysinternals Tools
    • Pillaging
      • Password Weaknesses
      • Searching for Sensitive Information
      • Mimikatz
    • Expanding Influence
      • Pivoting
      • Pass the Hash
      • Cached Credentials
    • Local Access
      • Programmable Human Interface Devices
      • Powershell
      • Portable Virtualization Software

    DAY 3: System Hacking (UNIX)

    • User Enumeration
      • SMTP
      • Finger
      • SNMP
    • Penetration
      • Brute Force Revisited
      • Mis-configured Services
    • Privilege Escalation
      • SetUID Root
      • Abusing Sudo
    • Pillaging
      • Password Cracking
      • Finding Stored Credentials
    • Expanding Influence
      • Abusing Trust
      • TCP Port Forwarding
    • Local Access
      • Bootable Media
      • Firewire Attacks

    DAY 4: Web Hacking

    • Web Application Architecture
      • Browsers
      • Load Balancers
      • Web Servers
      • Web Applications
      • Databases
    • HTTP(S) Primer
      • Request Methods
      • Response Codes
      • SSL/TLS Implementations
    • Discovery
      • Technology
      • Site Mapping
    • Configuration Management
      • Application Vulnerabilities
      • Default / Mis-configured Settings
    • Authentication
      • Brute Force Attacks
      • Abusing Process Logic
    • Authorization
      • Lateral Privilege Escalation
      • Vertical Privilege Escalation
    • Session Handling
      • Session Hijacking Techniques
      • Session Confidentiality Issues
    • Data Validation
      • SQL Injection
      • Cross-Site Scripting
    • OWASP Top 10
      • History
      • Overview and Interpretation
      • Automated Assessment

    DAY 5: Final Exercise

    The practical exercise is a team-based Capture The Flag (CTF) event. Students will work in teams to perform a thorough penetration test of a simulated corporation. Specific informational objectives are defined for each step of the process. These objectives are in the form of “flags”. Teams will gather all flags with as few hints as possible within the time allotted. Multiple hints will be given for each flag to the point of walking the student through the process required for success. The scoreboard will be displayed throughout to help motivate students to attempt to obtain flags with the least number of hints.

  • This course is over 60% hands-on. Students will:

    • Execute an Open Source Intelligence Process
    • Discover Hosts and Services Within a Realistic Network Environment
    • Identify Potential Vulnerabilities Using Popular Tools
    • Crack Passwords That are Hashed Using Different Methods
    • Practice Multiple Post-Exploitation Techniques
    • Gain Proficiency With an Exploitation Framework
    • Perform Several Web Application Attack Vectors
    • Compromise Sensitive Information on Simulated Production Systems
    • Engage in an Immersive, Interactive Capstone Exercise
  • Although no specific courses are required, students should have some level of experience with Microsoft Windows and Linux operating systems as well as a basic understanding of TCP/IP Networking.

    • Incident Responders who need to Understand and React to IDS alerts
    • Network Defenders Seeking to Understand Common Access Methods
    • Security Managers who Desire to Improve their Defensive Model
    • Security Operations Center Staff Seeking to Identify Signs of Compromise
    • New members of Penetration Testing and Vulnerability Assessment Teams