Ben Sadeghipour - Hacking Organizations: Phishing Not Required $1,800 EARLY $1,450

Name of training:
Hacking Organizations: Phishing Not Required

Trainer bio:
Ben Sadeghipour, also known as NahamSec, is a hacker, content creator, trainer, public speaker, and conference organizer. He has extensive experience in ethical hacking and bug bounty hunting, having identified and exploited thousands of security vulnerabilities for companies such as Apple, Yahoo, Google, Airbnb, Snapchat, the US Department of Defense, and Yelp. Sadeghipour was formerly the head of Hacker Education at HackerOne. In addition to his professional pursuits, Sadeghipour also creates content on YouTube and Twitch to help others get into ethical hacking, bug bounty, web hacking and reconnaissance.

Trainer(s) social media links:
Twitter.com/NahamSec

YouTube.com/NahamSec

Do you have links to sites that promoted your past training so we can better understand how you presented it to the public?
https://hackfest.ca/en/trainings/web/

https://appsecus2018.sched.com/event/EyjH/3-day-training-hacking-your-organization-one-step-at-a-time

Class overview:
“Hacking Organizations: Phishing Not Required” is a comprehensive course designed to teach students how to identify vulnerabilities in web applications and digital assets from an external perspective. The first two days of the course is cover the ten most common vulnerabilities found in web applications as well as principles of reconnaissance. On the third day, students will apply these skills to develop a technique for identifying impactful vulnerabilities that potentially allow access to an organization's internal infrastructure. This training is appropriate for anyone interested in web application penetration testing, bug bounties, or joining a red team with a web and reconnaissance focus.

Class outline:

Day 1
Burp Suite Basics
HTTP Basic Refresher

Request Types

Headers

Respond Codes
Status Codes

Open Redirects + Labs
Whitelisting

Blacklisting

Basics of open redirects

Cross-Site Scripting (XSS) + Lab Reflected Cross-Site Scripting Stored Cross-Site Scripting Dom Cross-Site Scripting
Blind XSS Break

Cross Site Request forgery (CSRF) + Lab No CSRF token Reusable CSRF token

Insecure Direct Object References (IDOR) + Lab Incrementing IDs Weak encryption (B64) UUID from other vulnerabilities

Local file Read & Path Traversal + Lab

Path Traversal Basics

Local File read

Path traversal bypasses

Advanced Path Traversal and local file read

Server-Side Request Forgery (SSRF) + Lab
Understanding SSRF + Protocols
Local File Read
Blind SSRF and Port Scan
Accessing Local Network via SSRf
White Listing and Black Listing
Exploiting PDF Generators and Similar

Day 2

Privilege Escalation + Lab
Understanding user roles

Priv Esc through IDOR
Priv Esc via password brute force
Elevating user access roles

Arbitrary file upload + Lab
Unvalidated upload (php, asp, etc)
Path Traversal in uploaders

XML external entity (XXE) + Lab
Basics of XXE XXE in excel, docx, etc
XXE in PDF Generators

Remote Command / Code Execution
Understanding RCE
RCE via file uploads
Remote Command Injection in URL parsing

Weak or default credentials
Weak or default credential Basics
Wordlists
Looking through previous password dumps
Default Credentials
Password Guessing

Components with Known Vulnerabilities

SSRF
RCE via known vulnerabilities
Image Magick
Tomcat
Struts2

Shellshock
log4j

Reconnaissance - Asset Discovery + Hands on demo
DNS Basics
ASN Ranges (Cloud vs in house)
Subdomain Brute Forcing
Certificate Transparency
3rd Party tools (Shodan, Censys, etc)
Permutation and Environments
Automation Demo

Reconnaissance - Content Discovery + Lab
Creating and maintaining word list
Contextualizing directory/file brute forcing
Port scanning
Information gathering using https
Approaching APIs

Leveraging search engines for reconnaissance
Google Dorking
Leaked credentials
Finding additional information about your target

Methodology
Understanding company infrastructure
Identifying and prioritizing interesting assets
Combining asset discovery and content discovery
Looking for leads (documentation, API specs, etc)
Looking for patterns of mistake across an infrastructure
DNS Misconfigurations (subdomain or DNS takeover)
Understanding SSO
SSO Bypass or priv escalation

Final Lab + Test

Technical difficulty of the class:

This class is designed for beginner to intermediate level. While this training will offer and cover the foundations of web application hacking, it is highly suggested that students have a solid foundation in web application hacking and in web development.

Suggested prerequisites for the class:
HTTP Basics:
https://developer.mozilla.org/en-US/docs/Web/HTTP

How to set up burp suite:
https://portswigger.net/burp/documentation/desktop/getting-started/download-and-install

Understanding DNS:
https://www.cloudflare.com/learning/dns/what-is-dns

Items students will need to provide:
Students should bring in a laptop (Mac OS, Windows, or a Linux distribution of your choice) with a working browser. Please make sure you have installed Burp Suite and are able to intercept your browsers traffic.