Training Details

This is an immersive hands-on course that simulates a full-scale enterprise attack scenario. It allows students to assess the situation at every stage of a complex multi-layered penetration test and teaches them multiple ways to identify, enumerate, exploit and compromise an organisation.

Students will have access to a cloud-based LAB containing multiple networks, some of which are hidden. The theory and exercise content reflect real-world encounters rather than text book challenges and students will complete a vast number of exercises including everything from OSINT and reconnaissance, to creating and executing phishing campaigns against our in-LAB live bots, all the way through to post-exploitation, lateral movement and C2 exfiltration.


Who Should Attend:

This training is suited to a variety of students, including:

  • Penetration Testers
  • Security Professionals
  • IT Support, Administrative and Network Personnel
  • Anyone looking to enter the world of technical security


Prerequisite Knowledge:

  • Familiarity with Windows and Linux command line syntax
  • A basic understanding of networking concepts


Hardware / Software Requirements:

  • Students will need to bring a laptop to which they have administrative/root access, running either Windows, Linux or Mac operating systems
  • Students will need to have access to VNC, SSH and OpenVPN clients on their laptops


Each Student Will Receive:

HEUI Training Swags

  • 14-day extended LAB access after the course finishes
  • Access to a new LAB subnet and CTF style board with challenges to further test your skills
  • 14-day Slack support channel access where our security consultants are available
  • A Raspberry Pi with Kali Linux pre-installed
  • A portable wireless keyboard/mouse
  • A hard copy of the RTFM


Day 1

Introductions and LAB Overview

  • Overview of the LAB, subnets, challenges and targets
  • Introduction to infrastructure and application security assessments
  • Introduction to monitoring and alerting using our in-LAB ELK stack

Leveraging OSINT Activities

  • Data scraping: Certificate transparency logs, forums, social media, Shodan/Zoomeye, Google dorks and publicly disclosed data breaches
  • Extracting document metadata

Enumerating and Targeting IPv4 and IPv6 Hosts

  • IPv4/IPv6 construction and addressing schemes
  • Identifying local and remote IPv4/IPv6 hosts using tools and manual techniques
  • Port scanning, service enumeration and fingerprinting using nmap and atk6 toolsets
  • Using common tools including dirb, wpscan and Metasploit to target IPv6 hosts
  • Parsing and interpreting scan output

Exposure to Vulnerability Assessment Toolsets

  • Manual and automated approaches to vulnerability identification
  • Options for infrastructure/web
  • Differences in unauthenticated/authenticated scanning
  • Limitations of vulnerability tools vs manual methods

Linux Enumeration

  • Enumerating and targeting application servers
  • Identifying and enumerating services including SSH, IMAP, SMTP, HTTP/S
  • Using Metasploit, nmap scripts and public code

Linux Shells, Post Exploitation and Privilege Escalation (Covered in Days 1 and 2)

  • Exploiting weak file/folder permissions, ownership, SUID, SGID and sudo configurations
  • Hacking non-interactive shells and utilising binary breakouts/GTFOBins
  • Permission misconfigurations
  • Leveraging binary vulnerabilities to escalate privileges
  • Using Metasploit, hydra, ncrack and LinEnum

P@ssw0rd Cracking (Linux)

  • Shadow file construction, hashing and salting (bcrypt, SHAx, MD5)
  • Online/offline attack differences, limitations and tool options
  • Keyspace, attack types and pros/cons of each
  • Utilising hashcat

Windows Enumeration

  • Targeting SMB/LDAP for user enumeration
  • Explaining differences in data enumerated from unauthenticated/authenticated perspectives
  • User enumeration using recent Sensepost research (2018), built-in toolsets and nmap scripting


  • Phishing campaign infrastructure (domains, SMTP, landing pages)
  • Campaign creation and execution against in-LAB live bots
  • Payload options and attacker motives
  • Gaining access to OWA mailboxes and target hosts on different networks


Day 2

Windows Shells, Post Exploitation and Privilege Escalation

  • Authenticated local/network enumeration
  • Local privilege escalation techniques
  • Kerberoasting
  • AMSI considerations and recent bypasses
  • Leveraging PowerView, Metasploit, Unicorn, SharpSploit and GhostPack
  • Extracting LAPS passwords
  • Domain Pass-the-Hash (PtH) and local PtH limitations/workarounds
  • Extracting clear-text passwords, tokens and LSA secrets
  • RDP session hijacking (time dependant)
  • Data exfiltration using PowerShell
  • Leveraging Mimikatz

P@ssw0rd Cracking (Windows)

  • Local and Active Directory storage
  • LM/NTLM/NTLMv1/v2/cached creds/Kerberos
  • Interactive/non-interactive challenge/response processes
  • Further hashcat usage including rules and mask attacks

Defensive Monitoring

  • Introduction to Kibana
  • Investigating events e.g. Windows Defender shutdown, process spawning, task execution and associated metadata

Overcoming Restrictions/Policies Within an Active Directory Environment

  • AppLocker policies/configurations, PowerShell enumeration
  • Leveraging publicly disclosed methods/code and tools (GreatSCT)

Situational Awareness, Lateral Movement and Pivoting

  • Network segmentation, routing and ingress/egress controls
  • Locating, enumerating and targeting hosts on different networks
  • Metasploit routing and Meterpreter port forwarding
  • SOCKS proxies and proxychains
  • SSH tunnelling (Windows and Linux) for inter-network routing
  • Targeting hosts using common tools over tunnels
  • Mapping with Bloodhound

Application and Database Enumeration and Exploitation

  • Web application enumeration and vulnerability identification over pivots/tunnels
  • Web browser developer tools and Burp Suite
  • Database structures and enumeration
  • SQL 101 and different types of SQL injection
  • Exploiting recent SQL injection vulnerabilities using manual techniques and sqlmap
  • Database password hash cracking

Abusing domain trusts to compromise the enterprise

  • Understanding Windows domain trusts
  • Enumerating trusted domains using PowerView
  • Leveraging Metasploit and built-in Windows functionality to enumerate target domains
  • Further Mimikatz usage

Gaining Persistence & Data Exfiltration Over OOB Channels

  • Persistence mechanisms including registry, services, scheduled tasks, ADS
  • Backdooring hosts to establish out-of-band persistent C2 channels out of an organisation